^6-AUO  CIO  SYRACUSE  UN XV  NY  SCHOOL  OF  COMPUTER  AND  INFORMATION  —ETC  F/t  9/2 
FROVINC  FROM  AM  CORRECTNESS.  VOLUME  V.(U> 

NOV  Cl  J  C  REYNOLDS  F3O601-77-C-OC33 

UNCLASSIFIED  _  _  _  RA0C-TR-CQ-37+-V0L-3  NL 


AD  All  081  0 


LEVEl/ 

RADC-TR-80-379,  Vol  V  (of  five) 
Final  Technical  Report 
Novwnbor  1981 


PROVING  PROGRAM  CORRECTNESS 


Syracuse  University 


ROME  AIR  DEVELOPMENT  CENTER 

Air  Force  Systems  Command 

Griff iss  Air  Force  Base,  New  York  1 3441 


82  02  11  076 


This  report  has  been  reviewed  by  the  RADC  Public  Affairs  Office  (PA)  and 
is  releasable  to  the  National  Technical  Information  Service  (MTIS).  At  NTIS 
it  will  be  releasable  to  the  general  public »  including  foreign  nations. 

RADC-TR-80-379,  Vol  V  (of  five)  has  been  reviewed  and  is  approved  for 
publication. 


APPROVED:  . 


CLEMENT  D.  FALZARANO 
project  Engineer 


JOHN  P.  HUSS 

Acting  Chief,  Plans  Office 


If  your  address  has  changed  or  if  you  wish  to  be  removed  from  the  RADC 
mailing  list,  or  if  the  addressee  is  no  longer  employed  by  your  organization, 
please  notify  RADC. (ISIS)  Griffiss  AFb  NY  13441.  This  will  assist  us  in 
maintaining  a  current  mailing  list. 

Do  nonreturn  copies  of  this  report  unless  contractual  obligations  or  notices 
on  a  specific  document  requires  that  it  be  returned. 


MCMS&ram 


SECURITY  CLASSIFICATION  OF  TmiS  PAGE  (Whom  Dmam  Entonad) 


REPORT  DOCUMENTATION  PAGE 

READ  INSTRUCTIONS  1 

BEFORE  COMPLETING  FORM 

1.  SIFOST  NUMBEP  l'}  2.  GOVT  ACCESSION  NO. 

RADC-TR-80-379.  Vol  V  (of  five)  /)  1  J C  L- 

>  RECIPIENT'S  CATALOG  NUMBER 

4.  TITLE  fond  Subtitle) 

PROVING  PROGRAM  CORRECTNESS 

S  TYPE  OF  REPORT  A  PERIOO  COVERED 

"inal  Technical  Report 

1  Oct  77  -  30  Sep  80 

«.  PERFORMING  090.  REPORT  NUMBER 

l/A 

7  AUTHORS 

John  C.  Reynolds 

t.  CONTRACT  OR  GRANT  NUMBCRf a) 

F30602-7  7-C-0235 

9  performing  ORGANIZATION  name  ano  AOORCSS 

Syracuse  University 

School  of  Computer  &  Information  Science 
Syracuse  NY  13210 

10.  program  element  project,  task 

AREA  4  WORK  UNIT  NUMBERS 

>2702F 

>5811903 

II  CONTROLLING  OFFICE  NAME  ANO  AOORESS 

Rome  Air  Development  Center  (ISIS) 

Griffiss  AFB  NY  13441 

t2.  REPORT  OATE 

November  1981 

<3.  NUMBER  OF  PAGES 

14.  MONITORING  AGENCY  NAME  4  AOORESS///  different  from  Controlling  Office) 

Same 

IS.  SECURITY  CLASS,  (of  thlt  roport) 

JNCLASSIFIED 

is*.  OECLASSIFIC  ATI  ON/ DOWNGRADING 

I/A  SCH6DULE 

16  DISTRIBUTION  STATEMENT  (of  this  Report) 

Approved  for  public  release;  distribution  unlimited 

IT.  DISTRIBUTION  statement  (of  thm  mbtlrmcl  onlorod  i.n  Block  20.  II  dlllTont  from  RApartf 

Same 

is.  SUPPLEMENTARY  notes 

RADC  Project  Engineer:  Clement  D.  Falzarano  (CO) 

IS.  KEY  WOROS  (Continue  on  reveree  tide  if  neceeemry  and  idenf  • h  number) 

Programming  Systems  S;  .  iinulation 

Programming  Languages  Scheci.  ig  Algorithm 

Programming  Grammars  Logic  Programming 

Proving  Programs  Correct 
/Computer  Modeling 

lo.  ABSTRACT  (Continue  on  rover  ae  at  do  It  neceeeort  and  Identity  br  block  number) 

The  "Language  Studies"  contract  is  divided  into  four  project  areas,  all  of 
which  are  directed  to  the  problems  of  effectively,  reliably  and  efficiently 
using  modern  computers  in  a  wide  range  of  applications. 

Three  of  the  projects  deal  with  methods  of  communicating  with  computers.  — 
Task  1.  Very  High  Level  Programming  Systems  (P.I.:  J.A.  Robinson).  This 
group  is  working  towards  combining  the  features  developed  to  support  work 
in  the  area  of  artificial  intelligence  and  those  used  in  general  program 

DD  t  1473  EDITION  OF  1  NOV  SS  IS  OBSOLETE 

J  N  ’  _ miOft?SIFIED _ 

SECURITY  CLASSIFICATION  OF  THIS  P AGE  rWlAA  OAfA  Eolororl) 


_ UNCLASSIFIED _ 

SlCuWITV  CLASSIFICATION  or  THIS  PACCfWIty  Ox*  inltnd) 


UNCLASSIFIED 


SECURITY  CL  ASSI EIC  ATiOR  OE  t“’'  PACErOTi  xi  Ox*  £nf#r*dl 


Preface 


This  report  describes  efforts  completed  in  the  Language 
Studies  project  at  Syracuse  University  under  RADC  contract 
F30602-77-C-0235.  The  work  covers  the  period  October  1,  1977 
through  September  30,  1980. 

The  report  is  produced  in  five  volumes  to  facilitate  single 
volume  distribution. 
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Volume  5. 


Report  from  the  Very  High  Level  Programming  Systems 
task.  Report  title  is  "Logic  Programming  in  Lisp". 
Report  from  the  Systems  Studies  task.  Report 
title  is  "Multiple  Finite  Queueing  Model  with  Fixed 
Priority  Scheduling". 

Report  from  the  Systems  Studies  task.  Report  title 
is  "An  Algorithmic  Solution  for  a  Queueing  Model 
of  a  Computer  System  with  Interactive  and  Batch  Jobs. 
Report  from  the  Grammars  of  Programming  task.  Re¬ 
port  title  is  "Integrated  Parallel  Processes:  The 
Elements  of  Meaning  in  Language". 

Report  from  the  Proving  Program  Correctness  task. 
Report  title  is  "Proving  Program  Correctness 


iii 


The  main  goal  of  our  research  over  the  last  three  years  has  been  the 
development  of  a  programming  language  with  the  basic  character  of  Algol  60, 
but  without  the  major  deficiencies  of  this  language. 

Of  course,  Algol  60  had  a  pivotal  influence  on  language  theory  and 
design  when  it  was  first  introduced  nearly  twenty  years  ago.  However,  the 
long-term  result  of  this  influence  has  been  languages  that  are  quite 
different  than  Algol  60,  and  which  overcome  its  deficiencies  at  the  expense 
of  introducing  new,  quite  different  limitations. 

On  the  one  hand,  Algol  60  inspired  the  development  of  semantic  models, 
particularly  by  Strachey  and  Landin,  which  in  turn  led  to  the  development 
of  languages  such  as  ISWIM,  PAL,  GEDANKEN,  and,  in  a  somewhat  different  line 
of  development,  Algol  68.  All  of  these  languages  are  "higher  level"  than 
Algol  60;  in  particular,  they  require  a  heap  (garbage-collectable  store) 
for  their  implementation,  and  make  it  difficult  to  determine  whether  a 
particular  data  item  is  stored  in  a  stack  or  a  heap. 

On  the  other  hand,  the  machine  implementation  of  Algol  60  led  to  the 
design  of  languages  that  avoided  various  inherently  inefficient  features 
of  that  language.  At  the  same  time,  Hoare's  development  of  axiomatic 
language  definitions  has  encouraged  the  abandonment  of  certain  features, 
such  as  procedural  parameters  and  call  by  name,  that  are  difficult  to  treat 
axlomatically.  This  line  of  development  has  lead  to  languages  such  as 
PASCAL,  EUCLID,  MESA,  and  ADA,  which  are  all  "lower  level"  than  Algol  60. 
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Our  own  goal  has  been  Co  improve  and  extend  Algol  60  without 
changing  its  basic  character.  In  particular,  we  want  to  retain  both  the 
use  of  stack,  storage  allocation  and  the  power  of  the  Algol  procedure 
mechanism. 

A  first  step  in  this  direction  has  been  the  development  of  an 
idealization  of  Algol  that  is  described  in  the  first  part  of  Appendix  A. 

In  this  language,  the  type  structure  has  been  refined  to  permit  the  complete 
syntactic  detection  of  procedure  parameter  mismatches,  lambda  expressions 
and  fixed-point  operators  of  all  types  have  been  introduced,  and  a  wide 
variety  of  language  features  have  been  described  as  abbreviations  for  more 
basic  structures.  (In  Landin' s  phrase,  they  have  been  reduced  to  "syntactic 
sugar" . ) 

The  main  shortcoming  of  this  language,  as  of  Algol  60  itself,  is  the 
phenomenon  of  interference,  which  includes  both  variable  aliasing  and  various 
kinds  of  procedural  side  effects.  To  deal  with  this  phenomenon,  we  have 
explored  two  quite  different  approaches.  The  first,  called  the  syntactic 
control  of  interference,  is  to  restrict  the  language  so  as  to  make  potential 
interference  syntactically  detectable.  The  second,  which  is  embodied  in 
specification  logic,  is  to  regard  noninterference  as  a  relation  between  pairs 
of  language  phrases  that  must  be  proved. 

In  the  syntactic  control  of  interference,  described  in  Appendix  A, 
the  language  is  restricted  so  that  distinct  identifiers  always  denote 
noninterfering  entities,  while  interfering  entities  must  be  named  by 
qualifications  of  the  same  identifier.  This  approach  leads  to  certain 
syntactic  difficulties:  the  natural  abstract  syntax  is  ambiguous,  and 
syntactic  correctness  is  violated  by  certain  beta  reductions. 


These  difficulties  were  an  initial  motivation  for  the  development  of  a 
generalization  of  many-sorted  algebras,  called  category-sorted  algebras, 
which  is  described  in  Appendix  B.  In  their  most  obvious  application,  these 
algebras  are  a  language  design  tool  for  controlling  the  interaction  between 
type  conversions  and  generic  operators.  The  underlying  idea  is  to  permit 
an  abstract  syntax  to  be  ambiguous  while  insuring  that  this  ambiguity  does 
not  produce  an  ambiguity  of  meaning. 

Specification  logic  is  a  new  approach  to  proving  the  correctness  of 
programs  written  in  an  Algol-like  language.  Its  central  novelty  is  to 
regard  specifications  such  as  Hoare's  {P}  S  {Q}  as  predicates  about 
environments  (in  the  sense  of  Strachey  and  Landin) .  By  introducing  new 
forms  of  specifications  it  is  possible  to  formulate  universal  specifications 
that  are  true  in  all  environments,  and  to  give  rules  for  the  inference  of 
such  universal  specifications.  This  logical  system  goes  beyond  such  approaches 
as  Hoare's  axiomatic  semantics,  Dijkstra's  weakest  preconditions,  and  Pratt's 
dynamic  logic  in  its  ability  to  treat  interference  phenomena,  call  by  name, 
and  statement  parameters.  Moreover,  by  introducing  lambda  expressions  and 
beta  reduction,  it  is  possible  to  use  simpler  and  more  abstract  inference 
rules  than  in  other  logics  that  treat  procedures. 

The  semantics  of  specifications,  and  rules  for  their  inference  are 
described  in  Appendix  C. 

In  addition  to  the  above  developments,  which  are  related  to  the  design 
of  an  Algol-like  language,  we  have  also  investigated  a  variety  of  concepts, 
laws,  and  notations  for  making  precise  yet  intelligible  assertions  about 
arrays.  This  work  is  based  upon  Hoare's  idea  that  an  array  is  a  variable-like 


-  4  - 

entity  whose  value  is  a  function  on  an  interval  of  integers.  Interval  and 
partition  diagrams  are  introduced  to  make  assertions  about  intervals  without 
recourse  to  inequalities.  A  variety  of  functional  concepts,  such  as 
restriction,  images,  pointwise-extended  relations,  ordering,  and  rearrangement, 
are  used  to  minimize  quantifiers  in  assertions  about  array  values. 

Our  early  work  in  this  area  is  described  in  Appendix  D.  More  recently, 
we  have  made  further  progress  by  generalizing  the  concept  of  shift  equivalence 
to  that  of  realignment,  introducing  a  kind  of  abstract  concatenation  based 
upon  the  disjoint  union,  and  using  preimages  and  related  concepts.  This  work 
is  described  in  Appendix  E. 


APPENDIX  A 


SYNTACTIC  COMTNOL  OF  MraVERERCE 


JotW  C.  Reynolds 

School  of  Co^utor  and  Infornotlon  Sclonco 
Syracuse  University 


ABSTRACT  In  programing  languagas  which  parmit  both  aaalgnnant  and  procedural,  diatlnct  identifiers 
can  ropraaont  data  atructuraa  which  aharo  storage  or  procaduraa  with  lntarfarlng  aide  effects.  In 
addition  to  being  a  direct  aourco  of  programing  errora,  thia  phanonenon,  which  we  call  Interference 
can  inpact  type  etructuro  and  parallollaa.  Wo  ahow  how  to  aliainate  thaaa  difficulties  by  Imposing 
oyntactic  restrictions,  without  prohibiting  tha  kind  of  conatructlva  interference  which  occura  with 
hlghar-ordcr  procaduraa  or  SIMULA  claaaaa.  Tha  baaic  Idea  la  to  prohibit  Interference  between 
identlflere,  but  to  perwit  lotarfaronca  anong  conponenta  of  collections  named  by  alngle  Identifiers. 


The  Problen 

It  hao  long  been  known  that  a  variety  of 
anooelias  can  arise  when  a  programing  language 
coablnee  aaslgnaent  with  a  sufficiently  powerful 
procedure  each  anise  ■  The  •  idlest  and  boat- 
understood  case  la  aliasing  or  sharing  between 
variables,  but  there  are  also  subtler  phenomena  of 
the  kind  known  vaguely  as  "interfering  aide 
effects". 

in  this  paper  we  will  show  that  these  anomalies 
are  instances  of  a  general  phenomenon  which  we  coll 
interference.  We  will  argua  that  it  la  vital  to 
constrain  a  language  so  that  interference  is 
syntactically  detectable,  and  we  will  ouggsat 
principles  for  this  constraint. 

Between  slnple  variables,  the  only  fora  of 
interference  is  aliasing  or  shoring.  Consider,  for 
cxanple,  the  factorial-computing  program 

procedure  factfn.  f);  integer  n,  fj 
begin  Integer  k; 
k  :»  Oi  f  :•  1; 
while  k  d  n  do 

begin  k  :•  k  ♦  1;  f  k  >  f  end 
end  . 

Suppose  n  and  f  are  culled  by  name  as  in  Algol,  or 
by  reference  aa  In  FORTRAN .  and  consider  the  effect 
of  a  call  such  as  factft,  t),  In  which  both  actual 
parameters  are,  the  sane.  Then  the  fornal  parameters 
n  and  f  will  be  aliases,  l.a.,  they  will  interfere 
in  the  tense  that  assigning  to  either  one  will 
affect  the  value  of  the  other.  As  a  consequence, 
tha  aaslgnaent  f  :■  1  will  obliterate  the  value  of 
n  so  that  factft,  t)  will  not  behava  correctly. 

In  this  cate  the  problen  can  be  solved  by 
changing  n  to  a  local  variable  which  la  Inltiallted 
to  the  value  of  the  input  parameter;  this  is 


tantanount  to  calling  n  by  value,  gut  while  this 
solution  is  adequate  for  alaple  variables,  it  can 
becone  lap tact teal  for  arrays.  For  cxanple,  the 
procedure 

procedure  tranapoaefX,  Y);  real  array  X,  Y; 
for  1  :•  1  until  50  do 
for  )  :•  1  until  50  do 
Vfl.  J)  Xfj,  1) 

will  malfunction  for  a  call  such  aa  transposed,  Z) 
which  causes  X  and  Y  to  be  aliases.  But  changing 
X  to  a  local  variable  only  aolvea  this  problen  at 
the  expense  of  gross  inefficiency  in  both  tine  and 
space.  Certainly,  this  inefficiency  should  not  be 
lnposed  upon  calls  which  do  not  produce  interfer¬ 
ence.  On  the  other  hand,  ln-placc  tranaposition  Is 
btat  dona  by  a  cunpletaly  different  algorithm. 

This  suggaata  that  it  la  reasonable  to  permit 
procedures  auch  as  transpose,  but  to  prohibit  calls 
of  such  .procedures  with  Interfering  paraaetert. 

Although  these  difficulties  date  back  to  Algol 
and  FORTRAN,  more  recent  languages  have  Introduced 
new  features  which  exacerbate  the  problen  of 
Interference.  One  auch  feature  Is  the  union  of 
data  types.  Suppose  x  la  a  variable  whoae  value 
can  range  over  the  union  of  the  disjoint  dace  types 
integer  and  character.  Then  the  language  must 
provide  sone  construct  for  branrhtng  on  whether 
the  current  value  of  x  la  an  Integer  t-r  a  charac¬ 
ter,  and  thereafter  treating  x  aa  uue  type  or  the 
other.  For  example,  one  night  vrite 

unluncaae  x  of  ( Integer  S;  character:  S')  , 

where  x  may  be  need  at  an  identifier  of  tvpe 
Integer  In  S  ar.,1  as  an  identifier  of  type  character 
In  S'.  However,  consider 

>mtonc age  x  of 

(Integer:  (y  :•  "A";  n  :■  x  ♦  I); 
character:  noaetton) 


A-l 


nodal 1st 


ltaa 


link 


r 


It  la  avllait  that  aliasing  batwaan  a  and  y  can 
causa  a  Cjrpa  arror  la  tha  sxpraaalon  a  ♦  1.  Thua, 
la  tha  praaanca  of  a  union  as  chan Ian,  lntarfaranca 
can  daattny  typa  aacurlty.  Thla  problaa  occura 
with  variant  racorda  in  PASCAL  (1|,  and  la  only 
avoldad  in  Algol  68  (2)  at  tha  axpsnaa  of  copying 
union  valuaa. 

Tha  introduction  of  parallallan  alao  cauaaa 
aarloua  dlf flcultlaa.  Hoara  (3.4]  and  Brlneh- 
Hanaan  [5]  hava  arguad  convincingly  that  lntalll- 
glbla  programing  raqulraa  all  lntaractlona 
batwaan  parallal  procaaaaa  to  ba  nadlatad  by  aona 
aachanlsa  auch  aa  a  critical  ragion  or  nonitor. 

Aa  a  consaquanca,  in  tha  abaanca  of  any  critical 
raglona  or  nonitor  calla,  tha  oarallal  axacutlon 
of  two  atataaanta.  wrlltan  S  ||  S.,  can  only  ba 
parnlttad  whan  S,  and  do  not  lntarfara  with  ona 
anothar.  For  aximpla,  1 

«  !■  i  +  1  ||  y  ;■  y  «  1 

would  not  ba  pamiaalbla  whan  a  and  y  wara  allaaaa. 

In  thla  papar,  wa  will  not  conaldar  Interacting 
parallal  procaaaaa,  but  wa  will  pernit  tha  parallel 
conetruct  S,  |j  $2  whan  it  ia  ayntactlcally  evident 
that  S.  anda,  do  not  interfere.  Although  thla  kind 
of  datarmlnati  parallallan  la  Inadequate  for  practi¬ 
cal  concurrent  programing,  it  la  auffielent  to  make 
tha  conaequencaa  of  intarfereuca  especially  vivid. 
For  example,  when  x  and  y  are  allaaea,  tha  above 
statement  becomes  equivalent  to 

i  ;•  i  4  1  ||  i  t  »  2 

whose  meaning.  If  any,  la  Indeterminate ,  machine- 
dependent,  and  useless. 

These  examples  demonstrate  the  desirability  of 
constraining  a  language  so  that  variable  aliasing 
la  syntactically  detectable.  Indeed,  aeveral 
authors  hava  suggested  constraints  which  would 
eliminate  aliasing  coaq>letaly  (6, 7]. 

However,  aliasing  la  only  the  simplest  case  of 
tha  mors  general  phenomenon  of  lntarfaranca,  which 
can  occur  between  a  variety  of  program  phrases.  We 
hava  already  spoken  of  two  atatemante  interfering 
when  ona  can  perform  any  action  which  affects  the 
other.  Similarly,  two  procedures  Interfere  when 
one  can  perform  a  global  action  which  has  a  global 
effect  upon  tha  other. 

lntarfaranca  raises  the  same  problems  as 
variable  aliasing.  For  example,  P(l)  ||  Q(4)  is 
only  meaningful  if  tha  procedures  P  end  Q  do  not 
interfere.  Thus  the  case  for  syntactic  detection 
extanda  from  aliasing  to  interference  in  genaral. 
However,  tha  complete  prohibition  of  Interference 
would  ba  untanably  restrictive  since,  unlike 
variebles,  interfering  expressions,  statements,  and 
procedures  can  have  usefully  different  meanings. 

Both  tha  usefulness  and  the  dangers  of  inter¬ 
ference  batwaan  procedures  arise  whan  procedures 
are  used  to  ancapaulata  data  representations.  As 
an  axanple,  consider  a  finite  directed  graph  whose 
nodes  are  labelled  by  small  integers.  Such  a  graph 
might  ba  represented  by  giving,  for  each  node  n,  a 
linked  Hat  of  its  immediate  successors  n^ .  nk: 


Thla  representation  is  used  by  the  procedure 

procedure  ltersucc(n,p) ;  Integer  n;  procedure  p; 
begin  Integer  k; 

k  :»  nodellst(n); 

while  k  4  0  do 

begin  p(ltem(k) ) ;  k  :*  llnk(k)  end 

end 

which  causes  tha  procedure  p  to  be  applied  to  each 
immediate  successor  of  the  node  n. 

If  the  graph  is  ever  to  change,  then  something 

-  probably  a  procedure  auch  as  "addedge"  or 
"deleteedRe"  -  must  Interfere  with  itersucc  by 
assigning  to  the  global  arrays  r.odellst,  item,  and 
link.  On  the  other  hand,  the  correct  operation  of 
lteraucc  requires  that  the  procedure  parameter  p 
must  not  assign  tn  these  arrays,  l.e.,  that  p  mutt 
not  Interfere  with  Itersucc.  Indeed,  If  itersucc 
involved  parallelism,  e.g.  If  the  body  of  the  wht le 
statement  were 

begin  integer  m; 
m  :*  ltem(k); 

begin  p(m)  ||  k  :•  llnk(k)  end 
end  . 

then  noninterference  between  p  and  itersucc  would 
be  required  for  mennlngf ulness  rather  than  lust 
rorrec  t  ness . 

Of  course,  the  need  for  Interfering  procedures 
would  vanish  if  the  graph  representation  were  a 
parameter  to  tne  procedures  which  use  it.  But  this 
would  precJuJe  an  important  style  of  programing 

-  epitomized  by  SIMULA  67  |81  -  in  which  data 
abstraction  is  realized  by  using  collections  of 
procedures  which  interfere  via  hidden  global 
variables. 

In  summary,  these  examples  motivate  the  basic 
goal  of  this  paper:  to  design  a  programming  lan¬ 
guage  in  which  interference  is  possible  yet 
syntai t  it al ) y  detectable.  To  the  author's  fnow- 
ledgc,  the  < nly  current  language  which  tries  to 
meet  this  goal  is  Euclid  P I .  The  approach  used 
In  Euclid  Is  quite  different  than  tl  at  given  here, 
and  apparently  precludes  procedural  parameters  and 
cal  1-by-name . 
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Th«  |ult  Approach 

latora  proceeding  further,  we  aust  delineate 
the  Idee  of  Interference  nore  precisely.  By  e 
phreee  we  aean  a  variable,  expression,  atatenent, 
or  procedure  denotation.  In  the  flrat  three  casee, 
we  apeak  of  eaerclelna  the  phreee  f,  aaanlng: 
either  assigning  or  evaluating  P  If  It  la  a 
variable,  evaluating  P  If  It  la  an  axpraaslon,  or 
executing  P  If  It  la  a  atatenent. 

for  phraaee  P  and  <],  we  write  P  f  Q  to 
Indicate  that  It  la  ayntactlcally  detectable  that 
P  and  Q  do  not  Interfere.  More  precleely,  f  la  a 
ayntactlcally  decidable  aynaetrlc  relation  between 
phraeea  euch  that: 

(1)  If  neither  P  nor  Q  denotea  a  procedure, 
then  P  #  Q  lnpllee  that,  for  all  waye  of 
exerclalng  P  and  Q,  the  axarclaa  of  P  will 
have  no  effect  on  the  exerclae  of  Q  (and 
vlce-veraa) .  Thus  the  aeanlng  of  exercising 
P  and  Q  In  parallel  la  well-defined  and 
determinate. 

(2)  If  P  denotes  a  procedure,  A.,  ...  , 
are  syntactically  appropriate  actual  para- 
aeters,  P  #  Q,  and  A;  f  Q,  ...  ,  An  I  ij, 
then  P(A  .  ...  ,  A  )  #  Q.  (Thus  P  I  Q 
captures  the  Idea  Phat  P  cannot  Interfere 
with  Q  via  global  variables.) 

It  should  be  cnphaalre.i  that  these  rules  have  a 
fail-safe  character:  P  #  t|  Implies  that  P  and  Q 
cannot  Interfere,  but  not  the  converse.  Indeed, 
the  rules  are  vacuously  satisfied  by  defining  • 
to  be  universally  false,  and  there  Is  a  probably 
endless  sequence  of  satisfactory  definitions  which 
cone  ever  closer  to  the  semantic  relation  of  non¬ 
interference  at  the  expense  of  Increasing  complexity. 
Where  to  scop  is  ultimately  a  question  of  taste: 

P  f  Q  should  mean  that  P  and  Q  obviously  do  not 
Interfere. 

Our  own  approach  Is  based  upon  three 
principles: 

(I)  If  I  #  J  for  all  Identifiers  1  occur¬ 
ring  free  In  P  and  J  occurring  free  in  Q, 
then  P  #  t). 

In  effect,  all  "channels"  of  Interference  must  be 
named  by  Identifiers.  For  the  language  discussed  In 
this  paper,  this  principle  Is  trivial,  since  the 
only  such  channels  are  variables.  In  a  richer 
language,  the  principle  would  imply,  for  example, 
that  all  I/O  devices  must  be  named  by  Identifiers. 

(II)  If  1  and  J  are  distinct  identifiers, 
then  I  0  J. 

This  Is  the  most  controversial  of  our  principles, 
since  It  enforces  a  particular  convention  for 
distinguishing  between  Interfering  and  noninter¬ 
fering  phrases.  Interfering  procedures  (and  otlu  i 
entitles)  are  still  permissible,  but  they  must 
occur  within  a  collection  which  Is  named  by  a 
single  identifier.  (An  example  of  such  a 
collection  Is  a  typical  element  In  a  SIMULA  |.M) 
class.  Indeed,  the  Idea  of  using  such  collections 
was  suggested  by  the  SIMULA  class  machanlsm, 
although  we  will  permit  collection*  which  do  not 
belong  to  any  clast.) 


(Ill)  Certain  type*  of  phrases,  such  aa 
expressions,  and  procedures  which  do  not 
assign  to  global  variables,  ar*  aald  to  ba 
passive.  When  P  and  Q  ara  both  passive, 

p  #  q. 

Paaslv*  phrase*  perform  no  assignments  or  other 
actions  which  could  cauaa  Interference.  Thus  they 
cannot  Interfere  with  one  another  or  even  with 
themselves,  although  an  active  phrase  and  a  paaslv* 
phraae  can  Interfere. 

An  Illustrative  Language 

To  Illustrate  the  above  principles  we  will 
first  introduce  an  Algol-based  language  which, 
although  It  satisfies  Principle  (I),  permits 
uncontrolled  Interference.  Ue  will  then  impose 
Principle  (II)  to  make  Interference  ayntactlcally 
detectable.  Finally,  we  will  explore  the 
consequences  of  Principle  (III). 

Unlike  Algol,  the  Illustrative  language  Is 
completely  typed,  sn  that  reduction  (l.e.  appli¬ 
cation  of  the  copy  rule)  cannot  introduce  syntax 
errors.  It  provides  lambda  expressions  and  fixed- 
point  operators  for  all  program  types,  and  a  named 
Cartesian  product,  which  is  needed  for  the 
collections  discussed  under  Principle  II.  Procedure 
ile.  1  jrat  Ions ,  mul  I  , pie-parameter  procedures,  and 
i  lasses  are  treated  as  syntactic  sugar,  l.e.,  as 
abbreviations  which  are  defined  In  terms  of  more 
Lisle,  linguistic  constructs. 

Arrays,  cal  1 -by-value ,  jumps  and  labels, 
u  ilons  of  types,  references,  Input-output,  and 
critical  regions  are  not  considered. 

We  distinguish  between  data  types,  which  are 
the  types  of  values  of  simple  variables,  and 
program  types,  which  are  the  types  which  can  be 
declared  for  identifiers  and  specified  for 
parameters.  The  only  data  types  arc  Integer,  real, 
and  Boolean,  as  In  Algol,  but  there  are  an  Infinite 
number  of  piogram  types.  Specifically,  the  set  of 
program  types  Is  the  smallest  set  such  that: 

(Tl)  If  6  Is  a  data  type,  then  6  var 
(meaning  variable)  and  6  exp  (meaning 
expression)  arc  program  types. 

0  2)  sta  (meaning  statement)  Is  a  program 

:  ype . 

( i  3 )  If  u  and  w*  are  program  types,  then 
w  •  w'  Is  a  program  type. 

(TA)  if  w  Is  a  function  from  a  finite  set  of 
Identifiers  into  prugram  types,  then  IHw)  Is 
a  program  type. 

A  formal  parameter  specified  to  have  type 
A  vir  i an  he  used  on  either  side  of  assignment 
•tatemeuts,  while  a  formal  parameter  spe-itled  to 
ii. nr  type  6  exp  tan  only  he  used  as  an  expres.ion. 

I  lie  program  type  w  ►  w>‘  des.  runs  procedures  whose 
single  parameter  has  type  u>  and  who  .e  calf  his  typo 

for  example,  the  Algol  procedures 

protoduie  plfn);  integer  n;  n  1; 

r.  a  I  procedure  |2(x);  trot  I  x;  p.  :•  x  •  x; 

would  have  types  Integer  var  -  sta  and  real  exp  - 
reil  exp  respecr tvelv. 
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Th«  prograa  type  fl(u)  is  a  Cartesian  product 
In  which  components  ara  indexed  by  lduntl flora 
rather  than  by  conaacutive  Integers.  Specifically, 
n(w)  describes  collactlona  in  which  aach_l  In  the 
domain  ofjw  Indaaaa  a  component  of  type  m(l).  The 
function  m  will  alwaye  be  written  aa  a  Hat  of  paira 
of  the  fora  argument: value.  Thua,  for  axa^la , 
n(lnc:  ate,  val:  lntager  axp)  daacrlbea  collactlona 
In  which  lac  lndanea  a  atateaant  and  val  Indaaaa  an 
lntegar  eapreaalon.  A  typical  phraae  of  thla  type 
alght  ba  < Inc:  n  :•  n  +  1;  val:  n  «  n  * 

To  almpllfy  the  deecription  of  ayntaa  we  will 
Ignore  aapacta  of  concrete  reprerentatlon  auch  aa 
parenthaaatlon,  and  we  will  adopt  the  fiction  that 
each  Identifier  haa  a  flacd  prograa  type  (eacept 
when  uaed  aa  a  coeg>onent  Index),  when  In  fact  the 
prograa  type  of  an  Identifier  will  be  opeclfled  In 
the  format  l:«t  when  the  Identifier  la.  bound. 

Ha  write  <»  id»  and  <w»  to  denot'a  the  aeta  of 
1 dent If lore  and  phraaea  with  prograa  type  w.  Then 
the  ayntaa  of  the  Illustrative  language  la  given  by 
the  following  production  schemata,  In  which  4  rangea 
over  all  data  typea,  w,  uj ,  ...  range  over 

prograa  typea,  and  1. . 1  ,  ranga  over 

Identifier*:  1  n 

<1  esp»  i !■  <4  var» 

< Integer  anp>  js«  0 

|  <lnteger  exp>  ♦  < Integer  exp> 

<Bool**n  exp>  true 

|  < Integer  exp>  «  <lnteger  eap> 

|  < Boolean  exp>  1  < Boolean  exp> 

(end  elmllerly  for  other  conetante  and 
operetlona  on  data  types) 

<eta>  <4  ver>  :•  <4  exp> 

<ata>  noactlon 

|  <ata»  ;  <*ta> 

I  while  <Boolean  exp>  do  <ste> 

<ata»  new  <4  var  ld>  In  <ata> 

<w>  :  :•  <<*>  ld> 

<*  ♦  v9>  X  <w  id>,  <«*> 

<«*»*>  <w  w'*  (<w>) 

<n<*l:"i . VV* 

•  t,  I'w.  > . 1  J'U  ’  1 

n  n 


<n(l1:«1. 


1  :w  )>  .  1, 
n  n  k 


<w>  : 1£  <Booleen  exp>  then  <w»  else  <w» 

:  :•  J((<w  ■»  w») 

Although  a  formal  aenantic  epeclf lcatlon  la 
beyond  the  acope  of  thla  paper,  the  meaning  of  our 
language  can  be  explicated  by  various  reduction 
rules.  For  lambda  expressions,  we  have  the  usual 
rule  of  beta-reduction: 

ui.  f)  (0)  -  r|,  „  p 

where  the  right  side  denotes  the  result  of 
substituting  Q  for  the  free  occurrences  of  1  In  P, 
after  changing  bound  identifiers  In  P  to  avoid 
conflicts  with  free  Identifiers  in  Q.  Note  that 
this  rule  implies  call  by  name:  if  P  does  not 
contain  a  free  occurrence  of  I  then  (If.  P)(Q) 


reduces  to  l>  even  If  Q  It  nontaralr.it lag  or  causae 
aide  effects.  For  collection  expressions,  wa  have 

“r  pi . V  V-  *„  *  • 

For  example, 

<  Inc:  n  :*  rrU,  val:  nxn  >  .  Inc  -  n  :•  n+1  . 

Again,  there  la  a  flavor  of  call-by-naas,  alnca  the 
above  reduction  would  still  hold  If  n*n  wars 
replaced  by  a  nonterminating  axpresalon.  The 
fixed-point  operator  Y  can  alao  ba  alucldatad  by  a 
reduction  rule:  ~ 

Y(f)  -  ffYff))  , 

In  addition  to  lambda  expressions,  the  only 
other  binding  mechanism  In  our  language  la  the 
declaration  of  new  variables.  The  statement 

[Integer*) 

real  Lj  S  haa  the  same  meaning  as  the 
Boolean  J  f integer I 
Algol  statement  begin  I  real  I  I;  S  end. 

1  Boolean  [ 

By  themselves,  laaCda  expressions  and  new 
variable  declarations  era  an  austere  vocabulary 
for  variable  binding.  But  they  are  sufficient  to 
permit  other  binding  mcchanleaa  to  ba  defined  as 
abbreviations.  This  approach  Is  vital  for  the 
language  constraints  which  will  be  given  below, 
since  It  Insures  that  ell  binding  mechanisms  will 
be  affected  uniformly. 

Multiple-parameter  procedures  are  treated 
following  Curry  (9): 

r(Ai . V  *  •••  <v 


A(11 . V- 


...  II  .  B 
n 


and  definitional  forms.  Including  procedure 
declarations  are  treated  following  Landln  [ 10 | : 


let  I  •  Q  In  P 


(U.  P) (Q) 


1*1  rec  1  -  Q  In  P  =  (XI.  P)(Y(U,  Q))  . 

(However,  unlike  Landln,  we  are  using  call-by-name.) 
He  will  omit  type  specifications  from  let  and 
!*i  m.  «*presslons  when  the  type  of  I  Is  apparent 
from  Q. 

As  shown  In  the  Appendix,  classes  (in  a 
slightly  more  limited  sense  than  In  SIMULA)  can 
also  be  defined  as  abbreviations. 

As  an  example,  the  declaration  of  the 
procedure  fact  shown  at  the  beginning  of  this  paper, 
■long  with  a  statement  S  In  the  scope  of  this 
declaration,  would  be  written  as: 

let  fact  -  l(n  : Integer  exp,  f:  Integer  var). 
nejv  k:  lntegar  In 
(k  :•  0;  f  1; 

while  k  4  n  do  (k  :■  k>l;  {  :■  k«f>) 

in  S  , 

After  eliminating  abbreviations,  this  becomes 

('fact:  Integer  exp  -  (Integer  var  -»  sta).  S) 

(in:  Integer  exp.  If:  integer  var. 
new  k:  Integer  In 

(k  :•  0;  f  :•  1  ; 

while  k  i  n  do  (k  :•  k+1;  f  :*  k«f)))  . 
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Controlling  lgtwtwag 

Tbo  llluacratlvo  language  already  aatlaflaa 
Principle  1.  If  m  can  conatraln  It  to  aetlafy 
Principle  II  aa  wall,  than  P  f  Q  will  hold  when  P 
and  q  have  no  free  ldentlflere  In  connon.  >y 
assuming  the  noat  pessimistic  definition  of  f 
conpatlbla  with  thla  reault  (and  postponing  the 
conaaquancea  of  Principle  Ill  until  the  next 
aactlon) ,  wa  (at 

P  #  q  Iff  f(P)  n  F{Q)  -  <), 

where  f (P)  denotaa  the  cat  of  ldentlflere  which 
occur  free  in  P. 

To  aatablleh  Principle  II,  we  nuat  conaidar 
each  way  of  binding  an  identifier.  A  new  variable 
declaration  cauaea  no  problene,  alnce  new  variablea 
are  guaranteed  to  be  Independent  of  all  prevloualy 
declared  entltlea.  But  a  laabda  expression  can 
cauae  trouble,  alnce  ite  formal  parameter  will 
interfere  with  lta  global  ldentiflara  if  it  la  ever 
applied  to  an  actual  paraaeter  which  lntarferei 
with  the  global  ldentifiera,  or  equivalently,  with 
the  procedure  itaelf.  To  avoid  thla  interference, 
wa  will  raatrlct  the  call  P(A)  of  a  procedure  by 
lapoalng  the  requirement  P  I  A. 

The  following  Informal  argument  ahowa  why  thla 
reetrlctlon  worke.  Conalder  a  beta-reduction 
(Al.  PHQ)  Within  P  there  nay  be  a  pair  of 

ldentifiera  which  are  ayntactleally  required  to 
aatlafy  the  #-relatlonahip,  and  therefore  nuat  be 
diatlnct.  If  ao,  it  la  eaaentlal  that  the  eube- 
tltutlon  1  ■*  Q  preaerve  the  #-relatlonahlp.  No 
problem  occura  if  neither  identifier  li  the  formal 
parameter  1.  On  the  other  hand,  if  one  identifier 
ia  I,  then  the  other  diatlnct  identifier  oust  be 
global.  Thua  the  #-relation  will  be  preserved  if 
K  #  Q  holda  for  all  global  identifiers  K,  i.e., 
for  all  ldentifiera  occurring  free  in  »I.  P.  This 
is  equivalent  to  (11.  P)  #  Q. 

More  formally,  one  can  show  that,  with  the 
reetrlctlon  on  procedure  calls: 

«ui'>  <u  -»  u> ’ > (<-j>)  when  <u  •*  w'»  #  <u'  . 

eyntactlc  correctneie  le  preserved  by  beta 
reduction  (and  also  by  reduction  of  collection 
expressions),  and  continues  to  be  preserved  when 
other  productions  restricted  by  #  are  added,  e.g.. 

<sta>  <eta1>  ||  <staj>  when  <etij»  I  <st«j>  . 


The  restriction  P  #  A  on  P(A)  alto  affects  the 
language  constructs  which  are  defined  as  abbrevia¬ 
tions.  For  let  1  *  Q  in  P  T  (VI.  ?MQ> .  and  for 
let  rac  I  -  Q  in  P  ?  (»!•  P)(Y(U.  Q> ) .  •«*  ‘h»«. 

^ept  for  l,  no  free  Identifier  of  Q  can  occur 
free  in  P.  Thus,  although  one  can  declate  a 
procedure  or  a  collection  of  procedures  which  use 
global  ldentlflere  (the  free  ldentlflere  of  Q) , 
these  globala  are  masked  from  occurring  In  the 
scope  P  of  the  declaration,  where  they  would 
interfere  with  the  identifier  1. 

For  multi-parameter  proceduree,  P(A.,  ...  ,  An) 
3  P(A  )  ...  (A  )  Implies  the  restriction!  P  »  Aj. 

PfA.)1#  A,,  ..?  .  ?<*!>  •••  <Vl>  •  V  uhlch  "" 
equivalent  to  requiring  P  *  A,  for  each  parameter 
and  A{  I  Aj  for  each  pair  of  distinct  parancters. 


For  example,  consider  the  following  procedure 
for  e  "repeat"  etatesient: 

let  repeat  •  A (a:  ate,  b:  Boolean  exp). 

(a;  while  1  b  do  a) 


In  any  useful  call  repeat(A,,  Aj) ,  tha  atatenant  A 
will  Interfare  with  the  Boolean  expreaalon  A.. 
Although  thla  la  peraitttd  in  tha  unconstrained 
illustrative  language,  aa  In  Algol,  it  la  prohibited 
hy  the  reetrlctlon  A.  f  A..  Inatead,  one  nuat  group 
the  interfering  parameter!  into  a  collection: 


let  repeat  *  Ax:  fits:  ata,  b:  Boolean  axp). 

(x.a;  whlla  ~1  x.b  do  x.a)  , 

and  use  calls  of  the  fora  repeat(  (t:A^,  b:Aj  )  ). 

Thle  example  le  characteristic  of  Prlnctpla  II. 
Although  interfering  parameters  art  parnittad,  they 
require  a  somevhat  cumbaraome  notation.  In  compen¬ 
sation,  it  la  immediately  clear  to  tha  reader  of  a 
procedure  body  when  Interference  between  parameters 
is  possible. 


Paselve  Phrases 


In  making  Interference  eyntactlcally  detect¬ 
able,  we  have  been  unnecessarily  restrictive.  For 
example,  we  have  forbidden  parallel  constructs  such 

as 

x  :-  n  |  |  y  :•  n 


or 

let  twice  -  Xs:  sta,  (s;  s)  i£ 

(twice  (x  :*  *+1)  ||  rwlce(y  :•  y"2))  . 

Moreover,  the  right  side  of  the  reduction  rule 
Y(f)  •  f (Y (f ) )  violates  the  requirement  f  #  Y(f), 
giving  a  clear  sign  that  there  is  a  problem  with 
recursion. 

In  the  first  two  caees,  we  have  felled  to  take 
Into  account  that  the  expression  n  and  tha  procedure 
twice  are  paselve:  They  do  no  assignment  (to  global 
variables  in  the  case  of  procedures),  and  tharefora 
do  not  Interfere  with  themselves.  Similarly,  when 
f  is  passive,  f  #  Y(f>  holda,  and  the  reduction 
rule  for  Y(f)  becomes  valid.  This  legitimises  tha 
recursive  definition  of  procedures  which  do  not 
assign  to  global  variables. 

(Recursive  procedures  which  assign  to  global 
variables  are  a  more  difficult  problem.  Within  the 
body  of  euch  a  procedure,  the  global  variablea  and 
the  procedure  itself  are  interfering  entltlea,  and 
must  therefore  be  represented  by  components  of  a 
collection  named  by  a  single  identifier.  Thie 
situation  probably  doesn't  pose  any  fundamental 
ill  f  ficultiea,  but  we  have  not  pursued  it.) 

The  following  treatment  of  passivity  is  more 
tentative  than  the  previous  development. 

Fxpresslons  In  our  langunge  ere  always  passive, 
since  they  never  rause  assignment  to  free  variables. 
I’rocedutee  may  be  active  or  passive.  Independently 
of  their  argument  and  result  types.  Thus  we  must 
distinguish  the  program  type  w  •»p  w’  describing 
passive  procedures  from  the  program  type  w  ■»  u' 
describing  (possibly)  active  procedures. 
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Nor*  formally,  ws  augasnt  tha  dtflnltlon  of 
program  typta  with 

(TJ)  If  «  and  a'  ara  program  typaa,  than 

a  *f  a*  la  a  prograa  typa. 

and  wa  daflna  paaalva  prograa  typaa  to  ba  tha 
aaallaat  aat  of  prograa  typaa  ouch  that 

(PI)  *  axp  la  paaalva. 

(P2)  a  -*p  a'  la  paaalva. 

(P3)  If  u(l)  la  paaalva  for  all  1  In  tha 

domain  of  a,  than  S(w)  la  paaalva. 

Mast,  for  any  phraaa  r,  wa  daflna  A(r)  to  ha 
tha  aat  of  ldantlflara  which  hava  at  laaat  one  free 
occurrence  In  r  which  la  outald*  of  any  aubphraaa 
of  paaalva  type.  Note  that,  alnce  Identifier 
occurrencaa  are  thaaaalvaa  aubphraaaa,  d(r)  never 
contalna  Identifiers  of  passive  type,  and  sines  r 
la  a  aubphraaa  of  Itself,  4(r)  la  aapty  whan  r  has 
passive  type. 

Then  we  relas  the  definition  of  P  f  Q  to  permit 
P  and  Q  to  contain  free  occurrencaa  of  tha  same 
Identifier,  providing  every  such  occurrence  la 
within  a  paaalva  subphraae.  Wa  define: 

P  »  Q  i  A(P)  n  F(Q)  -  (>  bP(p)  r>  g(Q)  .  o  . 

Finally,  wa  aodlfy  the  abstract  syntax.  Ue 
daflna  a  passive  procedure  to  be  one  In  which  no 
global  Identifier  has  an  active  occurrence: 

«’>  1  <ui  ld».  <u'> 

when  d(<w'>)  -  (<oj  ld>)  •  {)  . 

Passive  procedures  can  occur  In  any  context  which 
permits  active  procedures: 

<u  •*  u 1  >  : : *  <u  **p  U>'>  , 

but  only  passive  procedures  can  be  operands  of  the 
fixed-point  operator; 

<u»  Y(‘w  -*p  u>)  . 


Soma  Unresolved  Questions 

Our  abstract  syntax  Is  ambiguous.  In  the  sente 
that  specifying  the  type  of  a  phrase  does  not 
always  specify  a  unique  type  for  each  aubphrate. 

For  exaaple,  In  the  original  Illustrative  language, 
the  subphrase  l_f  p  then  x  else  y  might  ba  either 
a  variable  or  an  expression  In  contexts  such  as 

s  :•  If  p  then  x  else  y 
<  a:  If  p  than  x  else  y,  b:  3  >  ,b 

Similarly,  the  Introduction  of  passive  procedures 
peralte  tha  aubphraaa  la:  ata.  (a;  a)  to  have 
either  type  ata  *  ata  or  ata  sta  In  tha  context 

(la:  ata.  (a;  s))(x  :•  x+1) 

Although  these  aablguitles  could  probably  ba 
eliminated,  our  Intuition  Is  to  retain  them,  while 
Insisting  that  they  must  not  lead  to  ambiguous 
meanings.  Indeed,  It  may  be  fruitful  to  extend 
this  attitude  to  a  wider  variety  of  Implicit 
conversions. 


In  normal  usage,  a  procedure  call  will  be 
active  tf  and  only  If  cither  the  procedure  Itself 
or  lta  parameter  are  active.  Although  other  cases 
ore  syntactically  permissible  they  aaaa  to  have 
only  trivial  Instances.  Thus  It  might  ba  desirable 
to  limit  the  program  types  of  procedures  to  the 
cases: 

(  4f  #'  o  -*p  a*  8  +  a  a  +  o' 

where  8  and  8'  are  passive  types  and  a  and  o'  are 
nonpassive  types. 

The  moat  serious  problem  with  our  treatment  of 
passivity  la  our  Inability  tc  retain  the  basic 
propatty  that  beta-reduction  preserves  syntactic 
correctness.  Consider,  for  exaaple,  the  reduction 

(Ip:  mixed,  (x  :-  p.a  ||  y  :•  p.a)) 

(  <  a:  n+1 ,  b:  n  :•  0  )  ) 

•  x  :-  <  a:  nbl,  b:  n  :•  0  >  .a 

|j  y  !"  fa:  rr+1,  b:  n  :•  0  >  .a 

*  x  :•  n+1  j |  y  :■  n+1 

where  "mixed"  stands  for  the  program  type 
n(a:  Integer  exp,  b:  ata).  Although  tha  first  and 
last  lines  are  perfectly  reaaonable,  the  Inter¬ 
mediate  line  la  rather  dubious,  alnce  It  contalna 
assignments  to  the  same  variable  n  within  two 
statements  to  ba  executed  In  parallel.  Neverthe¬ 
less,  our  definition  of  #  still  permits  the  Inter¬ 
mediate  line,  on  the  grounds  that  assignments 
within  pasalve  phrases  cannot  be  executed. 

However,  If  we  accept 

x  :»  (a:  n+1 ,  b:  n  :»  0  >  .a 

I  y  : *  fa:n+l,b:n:»0>.a, 

then  It  Is  hard  to  deny 

Is:  sta.  x  :•  <  »:  r»l ,  b:  (n  0  1 1  s)  >  .a 

f  y:-  fa:n+l,b:n:»0>.a 

But  this  permits  the  ceductlon 

(Xs:  eta.  x  :■  (a:  n+1,  b:  (n  :•  0  j  j  s)  >.a) 

(y  :■  <a:  n+1,  b:  n  :«0>.  a) 

•  x  :*  (a:  n+1 ,  b: 

(n  0  ||  y  (a:  n+1,  b:  n  :•()>. a) 

' - - - - 

)  .a) 

•  x  :•  n+1 

Here  the  Intermediate  step.  In  which  the  under¬ 
lined  statement  fs  clearly  Illegal,  Is  prohibited 
by  our  syntax. 

This  kind  of  problem  Is  compounded  by  the 
possibility  of  collection-returning  procedures. 

For  Instance,  In  the  above  example*,  on*  might  have 
ml)  ly(r»+l ,  n  :■  0),  where  silly  has  type 
Integer  exp  +  (sta  +  mixed).  In  place  of  the 
col  lection  <  a:  n+1,  b:  n  :•  0  >  . 

A  possible  though  uneathetlc  aolution  to  these 
problem*  might  be  to  permit  Illegal  phrase*  In 
context*  where  passivity  guarantees  nonexecution. 

A  more  hopeful  possibility  would.be  to  alter  the 
definition  of  substitution  to  avoid  the  creation 
of  Illegal  phrase*  In  such  contexts. 
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Direction*  for  further  Work 


beyond  dealing  with  tho  abovo  question*,  It  it 
obviously  aaaantlal  to  extend  thaaa  ldaaa  to  other 
language  Mchanlaaa,  particularly  arraya. 

In  addition,  the  Interaction  between  theee 
Idea*  and  the  axlomatlaatlon  of  program  correctneaa 
need*  to  be  explored.  We  auapect  that  many  rule* 
of  Inference  might  be  almpllfled  by  ualng  a  logic 
which  Inpoaee  l-preaervatlon  upon  aubstltutlona. 

A  eonewhat  tangential  aapect  of  thla  work  la 
the  dlatlnction  between  data  and  prograa  type*, 
which  obvioualy  haa  lmplicatlona  for  uaer-deflned 
type*.  (Note  the  abaence  of  thla  dlatlnction  In 
Algol  68  | 2).)  In  leaa  Algol-1 Ike  languagea,  data 
type*  night  have  a*  much  atructure  a*  program 
type*,  and  uaer  definition*  might  be  needed  for 
both  "type*"  of  type.  Indeed,  there  nay  be  ground* 
for  Introducing  more  than  two  "type*"  of  type. 

Finally,  thee*  ldeae  may  have  Implications  for 
the  optimisation  of  call-by-name,  perhaps  to  an 
extent  which  will  overcome  the  aura  of  hopeless 
Inefficiency  which  aurround*  this  concept.  For 
example,  whan  an  expression  la  a  single  parameter 
to  a  procedure,  a*  opposed  to  a  component  of  a 
collection  which  1*  a  parameter,  then  Its  repeated 
evaluation  within  the  procedure  must  yield  the  same 
value  (although  nontermination  1*  still  possible). 
Thl*  suggests  a  possible  application  of  the  idea  of 
"lasy  evaluation”  Ill,  12). 

APPENDIX 

Cleeeea  as  Syntactic  Sugar 

In  a  previous  paper,  we  have  argued  that 
claaecs  arc  a  less  powerful  data  abstraction 
mechanism  than  cither  higher-order  procedures  or 
uaer-deflned  types  (14).  The  greeter  generality  of 
higher-order  procedures  permits  the  definition  of 
classes  (in  the  reference-free  senee  of  Hoare  [13) 
rather  than  SIMULA  Itself)  as  abbreviations  In  our 
Illustrative  language.  In  fact,  the  basic  Idea 
works  In  Algol  60,  although  the  absence  there  of 
lambda  expreselons  and  named  collections  of 
procedures  makes  Its  appllcstlon  cumbersome. 

Ue  consider  a  class  declaration  with  scope  S 
of  the  form: 

class  C(0ECL;  INIT;  I.:P . I  :P  )  In  S  (1) 

11  n  n  — 

which  defines  C  to  be  a  class  with  component  names 
I,,  1  .  Here  DECL  It  a  list  of  declarations 

or  variables  and  procedures  which  will  be  private 
to  a  class  element,  INIT  la  an  inltlalltat Ion 
statement  to  be  executed  when  each  class  element  ts 
created,  snd  each  P^  is  the  procedure  named  by  1^, 

In  which  the  private  variables  may  occur  as  global*. 

Within  the  ecope  S,  one  may  declare  X  to  be  a 
new  element  of  class  C  by  writing  the  statement 

newelement  I:  C  In  S'  .  12) 

Then  within  the  statement  S'  one  m.iv  write  X .  1  ^  (o 
denote  the  component  Py  of  the  claes  element  X. 

To  express  these  notations  In  terms  of 

procedures,  suppose  P^ .  P^  have  types  w)t  ..., 

Mq  respectively.  Then  we  define  (1)  to  be  an1 
abbreviation  tor: 


f-  ”  lb:  11(1,:.,,.  ...  ,  I  :u  )  ■*  ate. 

II  n  n 

( DECL ;  INIT;  b(  (  I  :P . 1  :p  >  )) 

ii  n  n 

J_n  S  , 

where  b  la  an  Identifier  not  occurring  In  the 
original  class  declaration,  and  where  DECL  mutt  be 
expressed  In  terme  of  new  and  let  declarations. 

Then  we  define  (2)  to  be  an  abbreviation  for: 

C(XX:  11(1  :w. . 1  ).  s')  . 

ii  n  n 

As  an  example,  where  for  simplicity  P  and  P 
are  parsmeterles*  procedures:  1  ‘ 

class  counter( Integer  n;  n  :•  0; 

lnc:  n  :*  n+1,  val:  n)  jhi 
...  newelement  k:  counter  In 
...  (k.tnc;  x  :•  k.val) 

is  an  abbreviation  for 
let  counter  » 

lb:  R(lnc:  sta,  val;  Integer  exp)  ■»  eta. 
new  n:  integer  lri 

(n  :»  0;  b(  <  lnc:  n  :•  n+J ,  val:  n  >  )) 

In 

...  counter'll:  II (lnc:  ata,  val:  integer  exp). 

...  (k.lnc;  x  :•  k.val))  , 

which  eventually  reduces  to 

mw  n:  Integer  Ini  fn  :•  0; 

...  (n  :•  n+1 ;  x  n) )  . 

In  the  process  of  reduction,  Identifiers  will  be 
renamed  to  protect  the  privacy  of  n. 

The  only  effect  of  our  Interference-controlling 
constraints  Is  that  C  must  be  a  passive  procedure, 

!•*•,  INIT  and  Pj .  Pn  cannot  assign  to  any 

variables  which  are  more  global  than  those  declared 
by  DECL.  This  Insures  that  distinct  clas*  elements 
will  not  Interfere  with  one  another.  Otherwise, 

If  C  Is  not  passive,  then  h 1  In  the  definition  of 
(2;  cannot  contain  calls  of  C,  so  that  multiple 
class  elements  cannot  coexiat. 
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APPENDIX  B 


USING  CATEGORY  THEORY  TO  DESIGN  IMPLICIT  CONVERSIONS  AND  GENERIC  OPERATORS 

John  C.  Reynolds 
Syracuse  University 
Syracuse,  New  York 

ABSTRACT  A  generalization  of  many-sorted  algebras,  called  category- 
sorted  algebras,  is  defined  and  applied  to  the  language-design  problem 
of  avoiding  anomalies  in  the  interaction  of  implicit  conversions 
and  generic  operators.  The  definition  of  a  simple  imperative  language 
(without  any  binding  mechanisms)  is  used  as  an  example. 

Introduction 

A  significant  problem  in  the  design  of  programming  languages  is  the 
treatment  of  implicit  conversions,  sometimes  called  coercions,  between  types. 
A  failure  to  provide  implicit  conversions  can  degrade  the  conciseness  and 
readability  of  a  language.  On  the  other  hand,  unless  great  care  is  taken 
in  the  design  of  such  conversions,  and  their  interaction  with  operators 
which  can  be  applied  to  operands  of  several  types,  the  resulting  language 
will  exhibit  anomalies  that  will  be  a  rich  source  of  programming  errors. 

(In  the  author's  opinion,  PL/ I  and  Algol  68  exemplify  this  danger.) 

As  a  simple  illustration,  consider  assigning  the  sum  of  two  integer 
variables  to  a  real  variable.  In  the  absence  of  an  implicit  conversion 
from  integer  to  real,  one  would  have  to  write  either 

x  :■  integer-to-real(m)  +  integer-to-real(n) 
or 

x  :■  integer-to-real(m  +  n)  . 

Clearly,  one  would  prefer  to  write  x  :■  m  +  n.  If  the  language  permits  this, 
however,  one  can  ask  whether  the  implicit  conversion  precedes  or  follows  the 
addition,  i.e.,  which  of  the  above  statements  is  equivalent  to  x  m  +  n. 
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It  is  generally  believed  that  a  precise  language  definition  must 
answer  this  question  unambiguously.  However,  if  one  were  to  ask  the 
question  of  a  mathematician  (at  least  one  who  didn't  know  too  much  about 
programming),  he  would  probably  reply  that  it  doesn't  matter,  since  both 
of  the  above  statements  have  the  same  meaning,  and  that  indeed  the  whole 
point  of  permitting  the  same  operator  +  to  be  applied  to  arguments  of 
different  type  which  are  connected  by  an  implicit  conversion  is  that  the 
resulting  ambiguity  should  not  affect  the  meaning. 

In  a  sense,  of  course,  the  mathematician  is  wrong:  some  computers 
provide  a  floating-point  representation  with  such  limited  precision  that 
the  ambiguity  in  question  does  affect  meaning.  But  in  a  deeper  sense  the 
mathematician  is  right.  One  intuitively  expects  that  the  above  statements 
should  have  nearly  the  same  meaning,  and  in  analogous  cases  where  numerical 
approximation  or  overflow  is  not  involved,  one  expects  exactly  the  same 
meaning. 

To  see  this,  replace  real  by  character  string  in  the  above  example, 
and  suppose  that  integers  are  implicitly  converted  into  character  strings 
giving  their  decimal  representation,  and  that  +  denotes  both  addition  of 
integers  and  concatenation  of  strings.  Then  the  two  possible  meanings  of 
x  :*  m  +  n  are  radically  different.  This  case  is  clearly  a  mistake  in 
language  design  which  would  be  likely  to  cause  programming  errors. 

In  this  paper  ve  will  describe  a  method  for  avoiding  such  errors.  The 
underlying  mathematical  tool  will  be  a  generalization  of  many-sorted 
algebras  called  category-sorted  algebras,  which  are  close! v  related  to  the 
order-sorted  algebras  invented  by  Goguen.  ^ 

Bevond  the  specific  goal  of  treating  implicit  conversions,  our 
presentation  is  intended  to  illustrate  the  potential  of  category  theory  in 
t!  ■  area  of  language  definition  and  to  suggest  that  the  "standarJ"  denotational 
semantics  developed  by  Scott  and  Strachey  may  not  be  t he  final  solution  to  the 
language-definition  problem.  There  is  nothing  incorrect  about  the  Scot t- 
Strachey  methodology,  anc  it  has  provided  fundamental  insights  into  many 
aspects  of  programming  languages  such  as  recursion.  Bet  it  has  not  been  so 
helpful  in  other  areas  of  language  design  such  as  type  structure.  We  suspect 
that  clearer  insights  into  these  areas  will  require  quite  different 
applications  of  mathematics. 
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Conventional  Many-Sorted  Algebras 


Our  uae  of  algebras  Is  based  on  the  ideas  of  Goguen,  Thatcher,  Wagner, 
and  Wright, ^  which  have  roots  as  far  back  as  Burstall  and  Landin.^  In 
(2)  a  language  is  viewed  as  an  initial  algebra  and  its  semantic  function  as 
the  unique  homomorphism  from  this  initial  algebra  into  some  target  algebra, 
so  that  defining  the  target  algebra  is  tantamount  to  defining  semantics. 

Here  we  will  adopt  the  slightly  more  elaborate  view  that  (roughly  speaking) 
a  language  is  the  free  algebra  generated  by  some  set  of  identifiers,  that 
an  environment  is  a  mapping  of  these  identifiers  into  the  carrier  of  the 
target  algebra,  and  that  the  semantic  function  is  the  function  which  maps 
each  environment  into  its  unique  extension  as  a  homomorphism  from  the  free 
algebra  to  the  target  algebra. 

We  propose  to  treat  implicit  conversions  in  this  framework  by  generali¬ 
zing  the  concept  of  an  algebra  appropriately.  To  motivate  this  proposal  we 
will  proceed  through  a  sequence  of  increasingly  general  definitions  of 
’’algebra". 

The  standard  concept  of  a  many-sorted  algebra  used  in  algebraic  semantics 
is  due  to  Birkhoff  and  Lipson,^  who  called  it  an  "heterogeneous"  algebra. 
According  to  Birkhoff  and  I.ipson,  but  with  changes  of  notation  and  terminology 
to  reveal  the  similarity  to  later  definitions: 

(1)  A  signature  consists  of: 

(la)  A  set  JJ  of  sorts .  (Informally,  the  sorts  correspond  to 
types  in  a  programming  language.) 

(lb)  A  family,  indexed  by  nonnegative  integers,  of  disjoint 
sets  of  operators  of  rank  n. 

(lc)  For  each  n  _>  0  and  6  e  A  ,  a  specification  r#  c  n  t!. 

(Informally,  if  T.  »  <<u.  ,  ...  ,  us  >,  w>  then  the  operator  6 
o  l  n 

accepts  operands  of  sorts  ...  «  wn  and  yields  a  result 
of  sort  us.) 


(2)  An  fiAr-algebra  consists  of: 


(2a)  A  carrier  B,  which  is  an  fi-indexed  family  of  seta. 
(Informally  B(w)  is  the  set  of  meanings  appropriate  for  phrases 
of  type  id.) 

(2b)  For  each  n  >  0  and  6  £  A_ ,  an  Interpretation  y.  e 

n  o 

B(id.)  x  ...  x  B  (to.  >  -*■  B(id),  where  <<id,  ,  ...  ,  u  >,  w>  -  T.. 

•t  n  l  n  o 

(3)  If  B,  y  and  V,  fiAr-algebras ,  then  a  homomorphism  from 

B,  y  to  B',  ^-indexed  family  of  functions  0(id)  e 

B(id)  -*■  B'(io)  .  *iat  #  for  all  n  _>  0  and  6  e  A^,  the  diagram 


B(u>1)  x  .. 

QCid^)  x 

vr 

B,(u)1)  x  . 


x  B(<d  )  — 
n 

.  x  e(u  ) 

n 

X  B  '  (oj  ) 
n 


>  B(ui) 
0(uj) 
B'  (u) 


commutes.  Here  «u. ,  ...  ,  id  >,  u»  -  T.  and  f,  x  ...  x  f 
I  n  6  1  n 

denotes  the  function  such  that  (f,  x  ...  x  f  ) (x . x  ) 

1  n  1  ’  n 

■  <f1(x.)t  ...  f  (x  )>. 

11  n  n 


Unfortunately,  it  is  difficult  to  pose  the  implicit-conversion  problem 
within  this  concept  of  algebra  since  there  is  no  mechanism  for  grouping 
operators  which  are  represented  by  the  same  symbol.  For  example,  integer 
addition  and  real  addition  would  be  distinct  members  of  (with  specifications 
<< integer .  integet>,  integer>  and  <<real,  real> ,  real>) ,  and  there  is  no 
mechanism  for  relating  their  interpretations  more  closely  than,  say,  Integer 
addition  and  multiplication. 
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Many-Sorted  Algebras  with  Generic  Operators 

To  solve  this  problem,  we  will  employ  an  alternative  concept  of  many- 
sorted  algebras  due  to  Higgins. ^  In  this  approach,  the  operators  are 
(In  programming  Jargon)  generic.  The  specification  of  an  operator  of  rank  n 
is  a  partial  function  from  ftn  to  ft,  which  Is  defined  for  the  combinations  of 
sorts  of  operands  to  which  the  operator  is  applicable,  and  which  maps  each 
such  combination  into  the  sort  of  the  result  yielded  by  the  operand.  (Notice 
that  this  captures  the  idea  of  bottom-up  type  determination.)  Then  the 
interpretation  of  the  operator  is  a  family  of  n-ary  functions  indexed  by  the 
domain  of  its  specification. 

In  our  own  development  we  will  insist  that  the  specification  be  a  total 
function  from  ftn  to  ft.  At  first  sight,  this  simplification  might  appear  to 
be  untenable  since  it  implies  that  every  operator  can  be  applied  to  operands 
of  arbitrary  sorts.  Formally,  however,  the  situation  can  be  saved  by 
introducing  a  "nonsense"  sort  ns,  which  is  the  sort  of  "type-incorrect" 
phrases.  (If  a  phrase  is  type-incoi rect  whenever  any  of  its  subphrases  are 
type-incorrect,  then  every  specification  will  yield  ms  whenever  any  of  the 
sorts  to  which  it  is  applied  is  ns.  However,  one  can  conceive  of  contexts, 
such  as  the  application  of  a  constant  function,  where  this  assumption  might 
be  relaxed.) 

With  this  simplification,  and  a  few  changes  of  notation  and  terminology, 
Higgins'  concept  of  a  many-sorted  algebra  is: 

(1)  A  signature  consists  of: 

(la)  (as  before)  A  set  ft  of  sorts. 


(lb)  (as  before)  A  family,  indexed  by  nonnegative  integers, 
of  disjoint  sets  An  of  operators  of  rank  n. 

(lc)  For  each  n  _>  0  and  6  e  An>  a  specification  e  ft"  -*■  ft. 

(Informally,  ...  ,  wn)  is  the  sort  of  result  yielded  by 

the  generic  operator  6  when  applied  to  operands  of  sorts 


(2)  An  QAr-algebra  consists  of: 

(2a)  (as  before)  A  carrier  B,  which  is  an  fi-indexed  family 
of  sets. 


(2b)  For  each  n  _>  0  and  6  e  An>  an  interpretation  y6»  which 

is  an  nn-indexed  family  of  functions  y.  («-•>,,  ...  ,  u>  )  e 

6  1  n 

B(uj^)  x  ...  x  B(o>n)  -*•  B(r6(a)lt  ...  ,  tu^)).  (Informally, 

Y^(w^»  •••  >  ^n)  is  the  interpretation  of  the  version  of  the 

generic  operator  6  which  is  applicable  to  sorts  w, ,  ...  ,  u>  . ) 

1  n 

(3)  If  B,y  and  B',y'  are  QAT-algebras ,  then  an  homomorphism  from  B,y 

to  B'.y'  is  an  fl-indexed  family  of  functions  0(u)  e  B(uj)  ■+■  B'(uj) 

such  that,  for  all  n  >  0,  6  e  A  ,  and  w.  ,  . . .  ,  u  c  ii.  the 

n  l  n 

diagram 


B(u1)  x 

x 

B'^)  x 


*  B  (a)  ) 
n 


x  0(u>  ) 
n 


x  B  *  (oj  ) 
n 


Y6(“l . “n> 


Y6U1 . U)n) 


B(r  (w. ,  ...  ,  u  ) ) 
o  I  n 


6W 


,Un))  (I) 


B’(r  (U . w  )) 

o  i  n 


commutes . 


■bras  with  Ordered  Sorts  . 

We  car.  now  introduce  the  notion  of  implicit  conversion.  When  there  is 
an  implicit  conversion  from  sort  oj  to  sort  w' ,  we  write  o'.  <  u’  and  say  .hat 
w  is  a  subsort  (or  subtype)  of  u>'.  Syntactically,  this  means  that  a  phrase 
of  sort  u  can  occur  in  any  context  which  permits  a  phrase  of  sort  w'. 

It  is  reasonable  to  expect  that  w  <_  w  and  that  u  <_  u'  and  u'  <_  w"  implies 
m  '*)"•  Thus  the  relation  <  Is  a  preordering  (sometimes  called  a  quasiordering) 
of  the  set  fl.  Actually,  in  all  of  the  examples  in  this  paper  <_  will  be  a 
partial  ordering,  i.e.,  u  ^  w'  and  o'  <_  u  will  only  hold  when  co  “  u'.  However, 
our  general  theory  will  not  impose  this  additional  requirement  upon  _<• 
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Now  suppose  6  is  an 'operator  of  rank  n,  and  w, ,  ...  ,  u  and  u' ,  ... 

I  n  1  * 

u’  ara  sorts  such  that  «,  <_  w!  for  each  1  from  one  to  n.  Then  a  context 
n  l  “  i 

which  permits  a  phrase  of  sort  ...  u/)  will  permit  an  application  of 

6  to  operands  of  sorts  ...  ,  u>\  But  the  context  of  the  ith  operand 

will  also  permit  an  operand  of  sort  u^,  so  that  the  overall  context  must 

also  permit  an  application  of  6  to  operands  of  sort  w. ,  ...  ,  u  ,  which  has 

1  n 

sort  ,  ...  ,  u  ).  Thus  we  expect  that  rx(a), ,  ...  ,  »  )  <  ...  ,  w') 

ox  n  ox  n  •—  o  i  n 

or,  more  abstractly,  that  the  specification  1*.  will  be  a  monotone  function. 

0 

If  u  <_  «'  then  an  algebra  must  specify  a  conversion  function  from  the 
set  B(w)  of  meanings  appropriate  to  u>  to  the  set  B(w')of  meanings  appropriate 
to  u'.  At  first  sight,  one  might  expect  that  this  can  only  occur  when  B(w) 
is  a  subset  of  B(ui'),  and  that  the  conversion  function  must  be  the  corresponding 
identity  injection.  For  example,  integer  can  be  taken  as  a  subsort  of  real 
because  the  Integers  are  a  subset  of  the  reals. 

However  there  are  other  situations  in  which  this  is  too  limited  a  view 
of  Implicit  conversion.  For  example,  we  would  like  to  say  that  integer 
variable  is  a  subsort  of  Integer  expression,  so  that  integer  variables  can 
occur  in  any  context  which  permits  an  integer  expression.  But  it  is  difficult 
to  regard  the  meanings  of  integer  variables  as  a  subset  of  the  meanings  of 
integer  expressions.  In  fact,  we  will  regard  the  meaning  of  an  integer 
variable  as  a  pair  of  functions:  an  acceptor  function,  which  maps  integers 
into  state  transformations,  and  an  evaluator  function,  which  maps  states  into 
integers.  Then  the  meaning  of  an  expression  will  just  be  an  evaluator 
function,  and  the  implicit  conversion  function  from  variables  to  expressions 
will  be  a  function  on  pairs  which  forgets  their  first  components. 

In  general,  we  will  permit  implicit  conversion  functions  which  forget 
information  and  are  therefore  not  injective.  To  paraphrase  Jim  Morris, ^ 
subtypes  are  not  subsets.  This  is  the  main  difference  between  our  approach 
and  that  of  Goguen. ^  (There  are  some  more  technical  differences, 
particularly  in  the  definition  of  signatures,  whose  implications  are  not 
completely  clear  to  this  author.) 
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However,  there  are  still  some  restrictions  that  should  be  imposed 
upon  implicit  conversion  functions.  The  conversion  function  from  any 
type  to  itself  should  be  an  identity  function.  Moreover,  if  u  _<  o»'  and 
<*>'  <,  w"  then  the  conversion  function  from  B(u>)  to  B(o)")  should  be  the 
composition  of  the  functions  from  B(w)  to  B(w')  and  from  B(w')  to  B(u"). 

This  will  Insure  that  a  conversion  from  one  sort  to  another  will  not  depend 
upon  the  choice  of  a  particular  path  in  the  preordering  of  sorts. 

These  restrictions  can  be  stated  more  succinctly  by  Invoking  category 
theory.  A  preordered  set  such  as  ft  can  be  viewed  as  a  category  with  the 
members  of  ft  as  objects,  in  which  there  is  a  single  morphism  from  u  to  u>' 
if  ui  <*  u)'  and  no  such  morphism  otherwise.  Suppose  we  write  u>  <  e>'  to  stand 
for  the  unique  morphism  from  w  to  w'  (as  well  as  for  the  condition  that  this 
morphism  exists),  and  require  the  carrier  B  to  map  each  w  _<  w'  into  the 
conversion  function  from  B(w)  to  B(w').  Then  we  have 

(i)  B(io  <  u')  e  B(w)  •+  B (to ' )  . 

(ii)  B(u  <  u)  “  IB(u)  • 

(iii)  If  u  <_  w'  and  w'  <_  u>"  then 

B(w  w")  •  B(w  £  w');B(w’  at")  . 

(Throughout  this  paper  we  will  use  semicolons  to  indicate  composition  in 
diagrammatic  order,  i.e.,  (f;g)(x)  »  g(f(x)).)  These  requirements  are 
equivalent  to  saving  that  B  must  be  a  functor  from  ft  to  the  category  SET, 

in  which  the  objects  are  sets  and  the  morphisms  from  S  to  S'  are  the 

functions  from  S  to  S'. 

This  leads  to  the  following  definition: 

(1)  A  signature  consists  of : 

(la)  A  preordered  set  ft  oi  sorts . 

(lb)  (as  before)  A  family,  indexed  by  imnnogatlvc  Integers, 

of  disjoint  sols  A^  of  operators  of  rank  n. 

(,1c)  Tor  each  n  _>  0  and  6  t  A  ,  a  specification  T^,  which 

is  a  monotone  function  from  ftn  to  ft. 


(2)  An  flAT-algebra  consists  of: 


(2a)  A  carrier  B,  which  is  a  functor  from  ft  to  SET. 

(2b)  For  each  n  >  0  and  6  e  A  ,  an  interpretation  y.,  which 
_  n  6 

is  an  ft  -indexed  family  of  functions  y  (w. ,  ...  ,  w  )  c 

6  l  n 

B(w.)  x  ...  x  B(w  )  -*•  B(r.(u,,  ...  ,  0)  ))  such  that,  whenever 
i  n  6  l  n 

^  ...  ,  c/ ,  the  diagram 

y .  (u>.  ,  ...  ,  to  ) 

B(oj1  )  x  ...  x  B(w  )  - 5 i - — »  B(r  (w.  ,  ...  ,o.  )) 

1  n  6  1  n 

B(io,  <u ' )  x  ...  x  B(ui  <in') 

1—1  it—  n 

'i'  Y.Cw,' . <*»' ) 

B(ui;)  x  ...  x  B(aj')  - ^ B(T  (u' . u>')) 

l  n  o  i  n 

commutes . 

The  above  diagram  asserts  the  relationship  between  generic  operators 
and  implicit  conversions  which  originally  motivated  our  development.  To 
recapture  our  original  example,  suppose  Integer .  real  e  ft,  integer  <  real, 
+  t  A^,  T  t (integer .  integer)  -  integer,  and  r ( (real,  real)  -  real.  Then 
a  particular  instance  of  the  above  diagram  is 


B(T  (w. ,  ...  ,io  ) 
o  1  n 

^  r  (w, t  • •  •  w  ) ) 
—  6i  n 


(in 


y  ( integer .integer) 
B(integer)  x  B(integer)  - 

B(integer  <_  real)  x  B(intege.  <  real) 

4,  y+(real,  real) 

B(real)  x  Y(real)  - - — — - 


B(integer) 


B(integer  <  real) 


B(real) 


In  other  words,  the  result  of  adding  two  Integers  and  converting  their  sum 
to  a  real  number  must  be  the  same  as  the  result  of  converting  the  integers 
and  adding  the  converted  operands. 
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In  essence,  the  key  to  insuring  that  implicit  conversions  and  generic 
operators  mesh  nicely  is  to  require  a  commutative  relationship  between 
these  entities.  An  analogous  relationship  must  also  be  required  between 
implicit  conversions  and  homomorphisms : 

(3)  Tf  8,y  and  B',y'  are  JIAr-algebras,  then  an  homomorphism  from  B,y 
to  B ' , y '  is  an  fj-indexed  family  of  functions  0(w)  e  B(w)  -*■  B'(u) 
such  that,  whenever  a j  <_w',  the  diagram 

0(w) 

B(u) - »  B'  (u>) 

e(m') 

B(w') - - - >  B '  (u ' ) 

commutes,  and  (as  before)  for  all  n  _  0,  6c  A^,  and  u»  ,  ...  , 

0)^  e  the  diagram  (I)  commutes. 

Category-Sorted  Algebras 

By  viewing  the  preordered  set  of  sorts  as  a  category,  we  have  been  able 
to  use  the  category-theoretic  concept  of  a  functor  to  express  a: ‘pt-  priat>.- 
restrictions  on  implicit  conversion  functions.  In  a  similar  v.'.in,  we  can 
use  the  concept  of  a  natural  transformation  to  express  the  relationship 
between  implicit  conversion  functions  and  Interpretations  given  by  diagram 
(II)  and  the  relationship  between  implicit  conversion  functions  and 
homomorphisms  given  by  diagram  (III). 

In  fact,  diagram  (III)  is  simply  an  assertion  that  the  homomorphism  6 
is  a  natural  transformation  from  the  functor  B  to  the  functor  B'.  Diagram 
(II),  however,  is  more  complex.  To  express  this  diagram  as  a  natural 
transformation,  we  must  first  define  some  notation  for  the  exponentiation 
of  categories  and  functors,  and  for  the  Cartesian  product  functor  on  SET: 
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(1)  For  any  category  K,  we  write: 


(a)  | K |  for  the  set  (or  collection)  of  objects  of  K. 

(b)  X  £  X'  for  the  set  of  morphisms  from  X  to  X'  in  K. 

(c)  1^  for  the  identity  morphism  of  X  in  K. 

(d)  for  composition  in  K. 

(2)  For  any  category  K,  we  write  Kn  to  denote  the  category  such  that: 
(a)  | Kn |  *  | K j n ,  i.e.  the  n-fold  Cartesian  product  of  |k| . 


(b) 

(c) 

(d) 


<x, ,  ...  ,  x  >  -*  <x; . x'  • 

1’  n  Kn  1*  ’  n 

=  (x^x-)  x  ...  x  (xar)  . 

TKn  _  tK  tK 

x<x . x  >  <XV  *  V  ’ 

1  n  1  n 

<pl»  *  Pn>:Kn<pl . ph>  “  <P1’KP1 


(Notice  that  when  K  is  a  preorder  (e.g.  ft)  this  definition  is 
consistent  with  the  usual  notion  (e.g.  ft”)  of  exponentiation  of  a 


preorder.) 

(3)  For  any  functor  F  from  K  to  K',  we  write  Fn  to  denote  the  functor 
from  Kn  to  K,n  such  that: 

(a)  Fn(X2 . Xn)  -  <F(XX) . F(Xn)>  . 

(b)  Fn(p x . Pn)  =  <F(pL) . F(Pn) >  • 

(4)  We  write  x^n^  to  denote  the  functor  from  SETn  to  SET  such  that: 

(a)  x(n)(Sr  ...  ,  Sn)  -  S1  x  ...  x  sn  . 

(b)  *<n)(f, . f  )  -  f,  *  •••  -  f  • 


Next,  we  note  that  when  ft  and  ft  are  viewed  as  categories,  the  monotone 

function  T  can  be  viewed  as  a  functor  from  ftn  to  ft  by  defining  its  action 
6 

on  morphisms  to  be  r^(t>j^w|,  ...  ,  ■  r^(u^,  ...  ,  ui^)  ...  ,  wn)  • 
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Then 


„n  B 


,(n) 


SET 


SET 


and 


->  A 


SET 


are  compositions  of  functors  which  can  be  used  to  rewrite  diagram  (II)  as: 


n  fnl  V  *  (w.  ,  ...  ,U)  ) 

(B  ;x(  . %)  - - - (r6;B)(Ul . (0n) 


(Bn;x(n))(Ul<U)*,  . 


•  ill)  <0i  1 ) 

rr-  n 


(Bn;*(n))(u>'  ...  .a,') 

i  n 


Y6(uii’  • 


(rA;B)(u).<w’  ...  ,o)  <w') 

o  i—  i  rr-  n 


*  (r6;B)(w’ . ) 


In  this  form,  the  diagram  is  clearly  an  assertion  that  y,  is  a  natural 

transformation  from  the  functor  Bn;xW  to  the  functor  T  ;B. 

6 

At  this  stage  we  have  come  to  regard  ft  entirely  as  a  category.  Indeed, 
we  can  justify  the  term  "category-sorted  algebra"  by  extending  our  definition 
to  the  case  where  ft  is  an  arbitrary  category: 

(1)  A  signature  consists  of: 

(la)  A  category  ft  of  sorts. 

(lb)  A  family,  indexed  by  nonnegative  integers,  of  disjoint 
sets  A^  of  operators  of  rank  n. 

(lc)  For  each  n  >  0  and  6  e  A  ,  a  specification  T  ,  which 

—  n  — 1 -  6 

is  a  functor  from  ft  to  ft. 

(2)  An  ftAT-algebra  consists  of: 

(2a)  A  carrier  B,  which  is  a  functor  from  ft  to  SET. 

(2b)  For  each  n  >_  0  and  6  c  A  ,  an  interpretation  y  ,  which 

is  a  natural  transformation  from  B  to  r  ;B. 

6 

(3)  If  B,y  and  B'.y'  are  ftAT-algebras ,  then  an  homomorphism  from  B,> 
to  B',y'  is  a  natural  transformation  from  B  to  B'  such  that,  for 
all  n  >"  0,  i  e  An«  and  u^,  ...  ,  m ^  c  ft,  the  diagram  (I)  commutes. 
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This  is  a  clear  illustration  of  what  we  mean  by  applying  category  theory 
to  language  definition.  Our  intention  is  not  to  use  any  deep  theorems  of 
category  theory,  but  merely  to  employ  the  basic  concepts  of  this  field  as 
organizing  principles.  This  might  appear  as  a  desire  to  be  concise  at  the 
expense  of  being  esoteric.  But  in  designing  a  programming  language,  the 
central  problem  is  to  organize  a  variety  of  concepts  in  a  way  which  exhibits 
uniformity  and  generality.  Substantial  leverage  can  be  gained  in  attacking 
this  problem  if  these  concepts  can  be  defined  concisely  within  a  framework 
which  has  already  proven  its  ability  to  impose  uniformity  and  generality 
upon  a  wide  variety  of  mathematics. 

It  is  easy  to  verify  that  SlAT-algebras  and  their  homomorphisms  form  a 
category,  which  we  will  call  ALG^j,.  It  is  also  evident  that  these  category- 
sorted  algebras  reduce  to  the  Higgins  algebras  (with  total  specifications) 
discussed  earlier  when  Q  is  a  discrete  category  (i.e.,  a  partially  ordered 
•  et  in  which  u  ^  u'  only  holds  when  n  -  w1.) 

Algebraic  Semantics 

We  can  now  explicate  our  claim  that  defining  semantics  is  tantamount 
to  defining  a  target  algebra.  Suppose  the  target  algebra  is  a  category- 
sorted  flAT-algebra  B,y.  Then  B(u)  is  the  set  of  meanings  of  type  <j.  Thus 
we  can  define  the  set  M  of  all  meanings  to  be  the  disjoint  union  of  L(u) 
over  u  e  | Q | ,  i.e., 

M  *  (w,x  |  w  t  |fi{  and  x  e  B(w) }  . 

We  can  also  define  the  function  e  M  ♦  |h|  such  that 

•t  M C U. ,  x)  =  u  , 

which  gives  the  type  of  each  meaning  in  1'. 

Now  let  I  be  a  set  of  identifiers  and  c  1  -*•  |fi|  be  an  assignment  of 
types  to  each  identifier  in  I.  Then  an  environment  e  for  I,Tj  is  a  function 
from  1  to  M  which  maps  each  identifier  into  a  neaning  of  the  appropriate 
type,  i.e.,  which  makes  the  diagram 
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of  functions  commute. 

To  describe  this  situation  in  category-theoretic  terms ,we  define  the 
category  SETi  |ft|  of  sets  with  type  assignments.  This  is  the  category  such 
that 

(a)  The  objects  of  SETi|flj  are  pairs  S,x,  where  S  is  a  set  and 
t  e  S  -*■  jn| , 

S’,t’  is  the  set  of  functions  f  from  S  to  S'  such 

that  the  diagram 

S - - - >S' 

commutes, 

(c)  Composition  and  identities  in  SETi|fl|  are  the  same  as  in  SET, 


Then  an  environment  for  I,Tj  is  a  morphism  in  I.Tj  set^|q|  m,tm'  We  cal* 
this  set  EnvCl.ij). 

Next  we  define  U  to  be  the  functor  from  ALG  j,  to  SETi  |ft|  whose  action 
on  an  flAT-algebra  B,y  is  given  by 


U(B , y)  ■  S , T  where 

S  =  {co,x  |  w  e  |ijj  and  x  c  B(w)}  , 
t  e  S  +  |i)|  is  the  function  such  that  t(w,x)  *  u  , 

and  whose  action  on  an  homomorphism  0  from  B,y  to  B'.y'  is  given  by 

U(0)  e  U(B,y)  s EtT | ii |  is  the  functlon  such  tliat 

U(0) (oj,x)  *  w,6(w)(x)  . 
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Then  M,ru  is  the  result  of  applying  U  to  the  target  algebra  B,y,  so  that 
Envd.Tj)  -  I,tt  SET4|q|  U(B.y)*  More  generally,  U  is  the  "forgetful" 
functor  which  forgets  both  interpretations  and  implicit  conversions,  and 
maps  a  category-sorted  algebra  into  the  disjoint  union  of  its  carrier, 
along  with  an  appropriate  assignment  of  types  to  this  disjoint  union. 

In  the  appendix,  we  will  show  that  for  any  object  I,tj  of  SETl|n| 
there  is  an  algebra  F(I,Tj),  called  the  free  OAT-algebra  generated  by  I,Tj, 
and  a  morphism  n(l>Tj)  e  I.tj  g ET'T | n |  u(F(T*xj))»  called  the  embedding  of 
I,Tj  into  its  free  algebra,  such  that: 


For  any  B,y  e  |ALGflAr|  and  e  e  I.Tj  SET?|n| 
exactly  one  homomorphism  e  e  F(I,t  )  * 

1  ALGnar 

diagram 


U(B,y),  there  is 
B,y  such  that  the 


in  SETl|fl|  commutes. 


Suppose  FCljij)  *  Bq,y0.  Then  each  B0(w)  is  the  set  of  phrases  of  type  u 
which  can  be  constructed  from  identifiers  in  I  whose  types  are  given  by  tj. 
Each  e(w)  maps  the  phrases  of  type  u>  into  their  meanings  in  B(io).  Moreover, 
suppose  R,tr  *  U(Bq,y0)  ■  U(F(I,Tj)).  Then  R  is  the  set  of  phrases  of  all 
types,  td  maps  these  phrases  into  their  types,  and  U(e)  maps  these  phrases 
into  their  meanings  in  a  way  which  preserves  types. 

The  embedding  n(I,Tj)  maps  each  identifier  into  the  phrase  which 
consists  of  that  identifier.  Thus  the  above  diagram  shows  that  the  meaning 
U(e)(  n(I,Tj)(i))  of  the  phrase  consisting  of  i  is  the  meaning  e(i)  given  to 
i  by  the  environment  e. 

For  a  given  I,t  one  can  define  the  |n|-indexed  family  of  semantic 
functions 

u(u)  e  B0(w)  +  (Env(I,iI)  -  B(w)) 


such  that 


w(w)(r)(e)  -  e(u) (r)  . 


Then  each  u(u)  maps  phrases  of  type  w  into  functions  from  environments  to 
meanings  of  type  u.  Alternatively,  one  can  define  the  single  semantic 
function 

1*  c  R  •*  (Envtl.ij)  -►  M) 

such  that 

p(r)(e)  -  U(e)(r)  . 

This  function  maps  phrases  of  all  types  into  functions  from  environments 
to  meanings. 

It  is  evident  that  the  linguistic  application  of  category-sorted 
algebras  depends  crucially  upon  the  existence  of  free  algebras  or,  more 
abstractly,  upon  the  existence  of  a  left  adjoint  to  the  forgetful  functor 
U.  In  general,  if  U  is  any  functor  from  a  category  K'  to  a  category  K, 

F  is  a  functor  from  K  to  K',  and  n  is  a  natural  transformation  from  I 
to  F;U  such  that: 

For  all  X  c  |K| ,  X'  e  |K' | ,  and  p  c  X  £  U(X’),  there  is  exactly 
one  morphism  p  e  F(X)  ■*,  X'  such  that 


commutes  In  K, 

then  F  is  said  to  be  a  left  adjoint  of  U,  with  associated  natural  transfor¬ 
mation  n.  The  triple  F,  U,  n  is  called  an  adjunction  from  K  to  K'. 

In  the  appendix,  we  show  the  existence  of  free  category-sorted  algebras 
by  constructing  a  left  adjoint  and  associated  natural  transformation  for  the 
forgetful  functor  U  from  ALG^j,  to  SETJ|fl|. 
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Data  Algebras 

To  Illustrate  the  application  of  category-sorted  algebras,  we  will 
consider  several  variations  of  Algol  60.  However,  since  we  do  not  yet 
know  how  to  treat  binding  mechanisms  elegantly  in  an  algebraic  framework, 
we  will  limit  ourselves  to  the  subset  of  Algol  which  excludes  the  binding 
of  identifiers,  i.e.,  to  the  simple  imperative  language  which  underlies 
Algol.  Although  this  is  a  substantial  limitation,  we  will  still  be  able 
to  show  the  potential  of  our  methodology  for  disciplining  the  design  of 
implicit  conversions  and  generic  operators. 

As  discussed  in  (7)  and  (8),  we  believe  that  a  fundamental  characteristic 
of  Algol-like  languages  is  the  presence  of  two  kinds  of  type:  data  types, 
which  describe  variables  (or  expressions)  and  their  ranges  of  values,  and 
phrase  types  (called  program  types  in  (7))  which  describe  identifiers  (or 
phrases  which  can  be  bound  to  identifiers)  and  their  sets  of  meanings. 

Algebraically,  fl  should  be  a  set  of  data  types  in  order  to  define  the 
values  of  expressions.  In  this  case,  the  carrier  of  the  free  algebra  is 
a  data-type-indexed  family  of  sets  of  expressions,  and  the  carrier  of  the 
target  algebra,  which  we  will  call  a  data  algebra,  is  a  data-type-indexed 
family  of  sets  of  values. 

In  Algol  60  itself  there  are  three  data  types:  integer,  real,  and 
boolean,  to  which  we  must  add  the  nonsense  type  ns.  To  avoid  implicit 
conversions,  we  would  take  fi  to  be 

ns 

integer  real  boolean 

Notice  that  ns  is  the  greatest  element  in  this  partial  ordering,  reflecting 
the  notion  that  any  sensible  expression  can  occur  in  a  context  which 
permits  nonsense. 

On  the  other  hand,  to  introduce  an  implicit  conversion  from  integer 
to  real,  we  would  take  Integer  to  be  a  subtype  of  real: 


ns 


boolean 


integer  . 

A  r..ore  interesting  situation  arises  when  long  real  is  introduced.  One 
might  expect  real  to  be  a  subtype  of  long  real,  but  an  implicit  conversion 
from  real  to  long  real  would  be  dangerous  from  the  viewpoint  of  numerical 
analysis,  since  a  real  value  does  not  provide  enough  information  to  completely 
determine  a  long  real  value.  In  fact,  it  is  the  opposite  implicit  conversion 
which  is  numerically  safe,  so  that  long  real  should  be  a  subtype  of  real : 


boolean 


long  real 


integer  . 


In  a  language  definition  which  was  sufficiently  concrete  to  make  sense 
of  the  distinction  between  real  and  long  real,  one  might  take  B(real)  and 
B(long  real)  to  be  sets  of  real  numbers  with  single  and  double  precision 
representations,  respectively,  and  3(long  real  real)  to  be  the  truncation 
or  roundoff  function  from  B(long  real)  to  B(real) .  Notice  that  this  function 

is  not  an  injection,  reflecting  the  fact  that  a  conversion  from  long  real  to 

real  loses  Information. 

However,  although  this  is  suggestive,  our  methodology  is  not  really 
adequate  for  dealing  with  the  problems  of  roundoff  or  overflow.  For  this 

reason,  we  will  omit  the  type  long  real  and  define  our  language  at  the 

level  of  abstraction  where  roundoff  and  overflow  are  ignored. 


I 
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In  Che  rest  of  this  paper  we  will  take  ft  to  be: 


ns 


real 


Integer 

digit  string 

It  should  be  emphasized  that  this  choice  of  ft  -  particularly  the  use  of  digit 
string  -  Is  purely  for  illustrative  purposes,  and  is  not  put  forth  as 
desirable  for  a  real  programming  language. 

In  the  carrier  of  our  target  algebra  we  will  have: 

B(digit  string)  -  the  set  of  strings  of  digits, 

B(integer)  -  the  set  of  integers, 

B(real)  ■  the  set  of  real  numbers, 

B( complex)  =  the  set  of  complex  numbers, 

B (boolean)  *  {true,  false) , 

with  the  conversion  functions 

B(diglt  string  integer)  *  the  function  which  maps  each  digit 

string  into  the  integer  of  which  it  is  a  decimal  representation. 
B(lnteger  <  real)  «■  the  identity  injection  from  integers  to 
real  numbers. 

B(real  <  complex)  ■  the  identity  injection  from  real  numbers  to 
complex  numbers. 

Notice  that,  because  of  the  possible  presenae  of  leading  zeros,  the  function 
B(dlglt  string  <  integer)  is  not  an  injection. 
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We  must  also  specify  B(ns)  and  the  conversion  functions  into  this  set. 
For  these  conversion  functions  to  exist,  B(ns)  must  be  nonempty,  i.e.,  we 
f'ust  give  some  kind  of  meaning  to  nonsense  expressions.  The  closest  we  can 
come  to  saying  that  they  do  not  make  sense  is  to  give  them  all  the  same 
meaning  by  taking  B(ns)  to  be  a  singleton  set.  Thi6  insures  (since  a 
singleton  set  is  a  terminal  element  in  the  category  SET) ,  that  there  will 
be  exactly  one  possible  conversion  function  from  any  data  type  to  ns: 

B(ns)  -  {<>}, 

B(u)  .1  ns)  *  the  unique  function  from  B(tu)  to  {<>}. 

As  an  example  of  an  operator,  let  +  be  a  member  of  A2>  with  the 
specification 

“  —  ui  —  *-ntefter  and  i  integer  then  integer 
else  if  _<  real  and  0)2  real  then  real 
else  if_  (i>i  complex  and  complex  then  complex 

else  ns 

and  the  interpretation 

y+(u>^,u)2)  =  if  <_  integer  and  u integer  then 

A  (x,y) .  let  x*  =  B(ui^<integer)  (x)  and  y1  =  B (to^. <  integer)  (y) 
in  integer-addition(x' ,y') 
else  if  <_  real  and  u>2  ^  real  then 

A(x,y).  let  x'  =  B  (unreal)  (x)  and  y'  *  BCto^real) (y) 
in  real-addition(x' ,y ' ) 
else  if  complex  and  _1  complex  then 

A(x,y).  let  x*  =  B(o)^<complex)  (x)  and  y'  =  complex)  (y) 

in  complex-addition(x' ,y ’ ) 
else  X(x,y).  <>  . 

Although  the  above  definition  makes  +  a  purely  numerical  operator,  it 
can  be  extended  to  encompass  nonnumcrical"addition" : 
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r+(«lt»2)  *  if.  <_  boolean  and  ±  boolean  then  boolean 

else  if  <_  digit  string  and  u2  <_  digit  string  then  digit  string 
else  ...  (as  before) 

■^(ui^.u^)  *  if.  ji  boolean  and  <_  boolean  then 

A(x,y).  let  x1  “  B(u>^<  boolean)  (x)  and  y'  ■  B(a>2<  boolean)  (y) 
in  boolean-addltlon(x' ,y ') 

else  if.  digit  string  and  ±  digit  string  then 

A(x,y).  let  x1  ■  B(u)^<  digit  string)  (x) 

and  y'  -  B(wv<  digit  string)(y) 
in  digit-string-addition(x’ ,y ' ) 
else  . . .  (as  before)  . 

Since  there  are  no  implicit  conversions  between  boolean  and  any  other  type 
than  ns,  we  are  free  to  choose  "boolean  addition"  to  be  any  function  from 
pairs  of  truth  values  to  truth  values.  On  the  other  hand,  "digit-string 
addition"  is  tightly  constrained  by  the  implicit  conversion  from  digit  strini 
to  integer,  which  gives  rise  to  the  requirement  that 


B(digit  string)  x  B(digit  string)  diglt  strln8  addition^  B(djgit  string) 


B(digit  string 
<  integer) 


B( integer) 


Integer  addition 


commute.  In  other  words,  the  sum  of  two  digit  strings  must  be  a  decimal 
representation  of  the  sum  of  the  integers  which  are  represented  by  those 
two  strings.  The  only  freedom  we  have  in  defining  digit-string  addition 
is  in  the  treatment  of  leading  zeros  in  the  result. 

The  definition  of  +  suggests  that  a  typical  operator  will  have  a 
significant  specification  and  interpretation  for  certain  "key"  sorts  of 
operands,  and  that  its  specification  and  Interpretation  for  other  sorts  of 
operands  can  be  obtained  by  implicitly  converting  tut  operands  to 
key  sorts.  To  formalize  this  idea,  let 
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(1)  A.  be  a  category  of  keys. 

(2)  $.  be  a  functor  from  A  to  fln. 

6 

(3)  r.  be  a  functor  from  A  to  fi. 

0 

(4)  y  be  a  natural  transformation  from  $.;Bn;x^n^  to  r.:B. 

0  0  6 

Intuitively,  for  each  key  A  elA6l>  *j(*)  is  the  n-tuple  of  sorts  to  which  the 

"A-version"  of  6  is  applicable,  (X)  is  the  sort  of  the  result  of  the 

Inversion  of  6,  and  y.(.X)  c  x^n^(Bn(*  (X)))  -*■  B(T  (A))  is  the  interpretation 

0  0  6 

of  the  A-version  of  6. 

These  entities  can  be  extended  to  all  sorts  of  operands  If  the  functor 

possesses  a  left  adjoint  . ,  which  will  be  a  functor  from  Qn  to  A,  and  an 
0  0 

associated  natural  transformation  n, ,  which  will  be  a  natural  transformation 

o 

from  I^n  to  Then  we  can  define  the  specification 

r6  "  V?6  E  "  0  * 


and  the  interpretation 

y6^1’  “  x^n^(‘}n(h6(w1» 


wn>);W"l . wn);)  ' 


n  (ti) 

which  can  easily  be  shown  to  be  a  natural  transformation  from  B  jx'"  to  r  ;B. 

6 

Intuitively.H^Cw^,  ...  ,  to^)  can  be  thought  of  as  the  key  determining  the 

version  of  6  to  be  used  for  operands  of  sorts  u. ,  ...  ,  u  ,  and 

1  n 

n  (w, ,  ...  ,  w  )  as  the  implicit  conversion  to  be  appJied  to  these  operands. 
Ain 

In  the  special  case  where  and  fi  are  partially  ordered  sets,  it  can 
be  shown  (9,  p.  93)  that  will  be  a  left  adjoint  of  if  and  only  if 
a;  <  <t>  (¥,  (u) )  for  all  to  t  f!n  and  ^.(^.(A))  <  A  for  all  A  e  A  .  In  this  case 

—  0  6  u  —  0 

n^Cw)  will  be  the  unique  morphism  to  £  ^(^(w)) ,  and  y ^  will  be 

Y6(to)  =  x(n)(Bn(M*J(l{M)));vJ(ljM)  . 

Moreover,  as  shown  by  the  following  proposition,  S'  will  be  uniquely  determined 
by  *6: 
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Proposition  Suppose  ♦  is  a  monotone  function  from  A  to  ftn,  where 

A  and  are  partially  ordered  sets,  such  that 

(1)  For  all  a)  e  ftn,  the  set  (X  |  X  e  A  and  u  <_  $(X)  } 
has  a  greatest  lower  bound  in  A. 

(2)  For  all  w  £  fl,  4(  {X  |  X  e  A  and  u  <_  4>(X)})  is  the 
greatest  lower  bound  in  of  ($(X)  |  X  e  A  and  u  <  4>(X) } . 

Then  tCu)  ■  l“)  {X  |  X  e  A  and  w  <_  $(X)}  is  the  unique  monotone  function 

from  Qn  to  A  such  that  f  is  a  left  adjoint  of  $. 

Proof:  ¥  is  obviously  monotone.  For  any  X  e  A,  v(«t>(X))  is  the  greatest 
lower  bound  of  {X'  |  X'  c  A  and  $(X)  <_  4>(X')}  and,  since  X  belongs  to  this 
set,  'KHX))  <.  X.  For  any  u  e  ♦C'P Ctu> )  =  $(  fl .  {X  |  X  e  A  and  w  <_  0(x)}) 

is  the  greatest  lower  bound  of  { <J> ( X)  |  X  e  A  and  73  £  $(X)  }  and,  since  U  is  a 

lower  bound  of  this  set,  u  <_  4> <4' (u>)  )  . 

Suppose  ¥  is  a  left  adjoint  of  $.  If  u  <  <X> ( X )  then  f(u>)  y (4>( X) )  X. 

Thus  'f(u)  is  a  lower  bound  of  {X  |  X  e  A  and  u  4>(X)}.  Moreover,  this  set 

contains  H'(s>)  since  ui  ♦('i'(io)).  Thus  any  lower  bound  of  this  set  must  be 
less  than  ,  so  that  H^w)  is  the  greatest  lower  bound. 

The  conditions  in  this  proposition  will  hold  if  A  contains  greatest 
lower  bounds  of  all  of  its  subsets,  i.c.,  if  A  is  a  complete  lattice,  and 
4>  preserves  all  greatest  lower  bounds.  However,  we  will  sometimes  use  A's 
which  are  not  complete  lattices. 

As  an  example,  the  purely  numeric  definition  of  ■+•  given  earlier  can  be 
recast  mure  concisely  by  using  the  set  of  keys 

A+  =  4  -nteger ,  real ,  complex,  ns ) 

with  the  same  partial  ordering  as  .'2.  Then  the  specification  T+  is  determined 
by  the  functions  and  f+  such  that 
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*+(A) 

r+(x) 

integer 

integer, Integer 

integer 

real 

real, real 

real 

complex 

complex, complex 

complex 

ns 

ns  ,ns 

ns 

and  the  interpretation  y+  is  determined  by 

Y  t (integer)  =  integer  addition 

Y  t  (real)  ■  real  addition 

Y | (complex)  =  complex  addition 
Y( (ns)  -  A(x,y).  <>  . 

To  extend  this  definition  to  nonnumeric  types,  one  adds  boolean  and  digit 
string  to  A+,  with 

X  *+(A)  7+(X) 

boolean  boolean, boolean  boolean 

digit  string  digit  string, digit  string  digit  string 

and 

Yt (boolean)  ■  boolean  addition 

Y t (digit  string)  -  digit-string  addition  . 

(Notice  that  in  this  case  A+  is  not  a  complete  lattice,  but  the  necessary 
conditions  for  the  existence  of  a  left  adjoint  to  $+  are  still  met.) 

In  the  remainder  of  this  section  we  will  illustrate  our  approach  by 
defining  a  few  other  binary  operators.  In  each  case  A  is  the  listed 
subset  of  n,  with  the  same  partial  ordering  as  ft. 
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For  Che  division  operators  /  and  *  we  can  define 


A 

♦  /(A) 

r;(A) 

real 

real, real 

real 

complex 

comp lex , comp lex 

complex 

ns 

ns,  ns 

ns 

y^(real)  ■  real  division 
y  (complex)  ■  complex  division 
Y j (ns)  ■  A(x,y).  <> 

and 

A  ♦. (A)  rf(A) 

integer  integer , integer  integer 
ns  ns, ns  ns 

Y, (integer)  ■  A(x,y).  the  unique  integer  q  such  that 
x  “  q  x  y  +  r  where 

If  x  ^  0  then  0  <_  r  <  |y|  else  -  |y|  <  r  <_  0  , 

Y, (ns)  -  A(x,y) .  <>  . 

These  operations  cannot  be  combined  into  a  single  operator  since,  for  example, 
3/2  ■  1.5  but  3+2*1.  On  the  other  hand,  since  the  definition  of  y . (integer) 
extends  sensibly  to  the  case  where  x  and  y  are  real,  one  could  generalize 
+  by  taking  (Integer)  -  real, real. 

Since  nonnegative  integers  have  not  been  introduced  as  a  data  type  and, 
for  example,  3  is  not  an  integer,  exponentiation  cannot  be  defined  to  yield 
an  integer  result  for  any  sort  of  operands.  If  exponents  are  limited  to 
integers,  one  can  define 
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real 


real  real .Integer 

complex  complex, Integer  complex 

ns  ns, ns  ns 

Vf (real)-  A(x,n).  xn 
Y| (complex)  *  A(x,  n) .  xn 
Yt(ns)  -  A(x,y).  <>  . 

This  can  be  extended  to  noninteger  exponents  by  taking  (complex)  » 
complex, complex,  but  the  multi-valued  nature  of  complex  exponentiation 
(as  well  as  the  time  required  to  compute  the  necessary  logaritluns  and 
exponentials)  would  probably  make  this  unwise. 

Finally,  we  define  an  equality  operation: 


A 

.  #=(A) 

Tm(A) 

booleau 

boolean, boolean 

boolean 

integer 

integer, integer 

boolean 

real 

real, real 

boolean 

complex 

complex , comp lex 

boolean 

ns 

ns  ,ns 

ns 

Y=(X)  *  Ff  A  j*  ns_  then  the  equality  relation  for  B(A) 
else  A(x,y) .  <>  . 

One  might  be  tempted  to  add  digit  string  to  A=,  with  »  (digit  string)  = 
digit  string, digit  string,  TCdiglt  string)  «  boolean,  and  yl (digit  string) 
-  the  equality  relation  for  B(digit  string) .  However,  the  diagram 


F 


does  not  commute,  since  B(diglt  string  _<  integer)  is  not  an  injection. 

(For  example,  6  and  06  are  unequal  digit  strings  which  convert  to  equal 
Integers.)  Indeed,  one  can  never  use  the  same  operator  for  the  equality 
relation  on  different  data  types  when  the  data  types  are  connected  by  an 
Implicit  conversion  function  which  is  not  an  injection.  (At  the  more 
concrete  level  where  roundoff  error  is  taken  into  account,  this  suggests, 
quite  correctly,  that  there  are  special  perils  surrounding  an  equality 
operation  for  real  numbers.) 

Algebras  for  Simple  Imperative  Languages 

Now  we  move  from  data  algebras,  which  describe  languages  of  expressions, 
to  algebras  which  describe  simple  imperative  programming  languages,  i.e., 
languages  with  variables,  expressions,  and  commands,  but  without  binding 
operations.  The  sorts  of  our  algebras  will  change  from  data  types  to 
phrase  types,  which  can  be  thought  of  as  phrase  class  names  of  the  abstract 
syntax  for  the  language  being  defined.  For  example,  in  place  of  the  set  of 
data  types  {integer,  real,  boolean} ,  ft  might  be  the  following  partially 
ordered  set  of  phrase  types: 


ns 


It  is  evident  that  for  each  data  type  t  there  will  be  two  phrase  types 
x  exp(ression)  and  x  var(iable) ,  and  that  x  exp  will  be  a  subtype  of  t'  exp 
whenever  the  data  type  t  is  a  subtype  of  t'.  Moreover,  t  var  will  be  a 
subtype  of  x  exp  since  a  variable  can  be  used  in  any  context  which  permits 
an  expression  of  the  same  data  type.  On  the  other  hand,  the  subtype  relation 
will  never  hold  between  variables  of  distinct  data  types.  For  example,  an 
integer  variable  cannot  be  used  as  a  real  variable  since  it  cannot  accept  a 
noninteger  value,  and  a  real  variable  cannot  be  used  as  an  integer  variable 
since  it  might  produce  a  noninteger  value. 
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This  kind  of  phrase-type  structure,  which  describes  many  programming 
languages,  is  unpleasantly  asymmetric.  For  each  data  type,  there  are 
variables,  which  can  accept  or  produce  values,  and  expressions,  which  can 
only  produce  values.  Thus  one  might  expect  another  kind  of  phrase,  called 
an  acceptor,  which  can  only  accept  values.  If  acceptors  for  each  data  type 
are  added  to  fl,  we  have: 


Notice  that  the  subtype  relation  among  acceptors  is  the  dual  of  that  for 
data  types  or  expressions.  For  example,  a  real  acceptor  can  be  used  ?s  an 
integer  acceptor  since  an  integer  value  can  be  converted  into  a  real  value. 

The  above  partial  ordering  has  the  peculiarity  that  there  is  a  pair 
of  phrase  types,  real  var  and  integer  var,  which  have  no  least  upper  bound. 
In  general  this  might  not  be  a  problem,  but  we  will  find  that  there  is  one 
languuge  construct,  the  general  conditional  phrase,  which  requires  the 
existence  of  binary  least  upper  bounds.  To  see  the  problem,  suppose  n  is 
an  integer  variable  and  x  is  a  real  variable,  and  consider  the  conditional 
variable 

if  p  then  n  else  x  . 

In  a  context  which  calls  for  an  expression,  this  phrase  must  be  considered 
a  real  expression,  since  when  p  is  false  it  can  produce  a  noninteger  value. 
But  in  a  context  which  calls  for  an  acceptor,  the  phrase  must  be  considered 
an  integer  acceptor,  since  when  p  is  true  it  cannot  accept  a  noninteger 
value.  The  phrase  type  which  describes  this  situation  must  be  a  subtype 
of  both  integer  acc  and  real  ex£  which  in  turn  has  real  var  and  integer  var 
as  its  subtypes.  In  other  words,  it  must  be  the  least  upper  bound  of 
real  var  and  integer  var. 
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The  way  out  of  this  difficulty  is  to  characterize  variables  by  both 
the  data  type  which  they  accept  and  the  data  type  which  they  produce. 

For  example,  a  real  var  is  actually  a  "real-accepting,  real-producing" 
variable,  an  Integer  var  is  actually  an  "integer-accepting,  integer-producing" 
variable,  and  the  above  conditional  variable  is  an  "integer-accepting, 
real-producing"  variable.  If  we  write  t2  var  to  abbreviate  "^-accepting, 
^-producing"  variable,  then  we  have  the  ordering 


integer  acc 


real  exp 


Implicit  in  this  discussion  is  the  idea  that  phrase  types  are  constructed 
from  data  types.  More  generally,  since  the  meaning  of  expressions  can  be 
described  by  a  data  algebra,  and  expressions  are  a  major  constituent  of  an 
imperative  programming  language,  it  should  be  possible  to  define  the  algebra 
describing  the  programming  language  in  terms  of  the  data  algebra  describing 
its  expressions.  To  emphasize  this  possibility  we  will  construct  a 
programming- language  algebra  for  an  arbitrary  data  algebra,  with  signature 
ftD,  AD,  rD,  carrier  B°,  and  interpretation  The  main  restrictions  we  will 

place  upon  this  data  algebra  are  that  ns  must  be  the  greatest  sort  in 

and  that  r^(w^,  ...  ,  w^)  *  as  must  hold  when  any  is  ns. 

The  set  of  phrase  types  is 

ft  -  {t  exp  |  x  e  ft'1  -  {ns}}  u  {t  acc  |  t  e  ft*5  -  {ns}} 

u  {t2t2  var  I  Ti»  t2  G  ft°  -  {ns_} }  u  {comm,  ns}  , 

with  the  least  partial  ordering  such  that 

if  t  ^  t*  then  t  exp  <_  t  '  exp 

if  t'  t  then  r  acc  x'  acc 

if  <°  t ^  and  t2  £Dt2  then  t ^t2  var  <_  ijr2  var 
t1t2  var  <.  ^  acc 

iT2  var  —  t2  exp 

w  <  ns  . 
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Our  target  algebra  describes  direct  semantics.  (Continuation  semantics 
can  be  treated  in  much  the  same  way,  but  it  leads  to  more  complex  definitions 
without  providing  any  additional  insights  into  the  concerns  of  this  paper.) 

The  carrier  of  this  target  algebra  will  map  each  sort  into  a  domain  (a 
partially  ordered  set  containing  a  least  element  i  and  least  upper  bounds 
of  its  directed  subsets),  with  implicit  conversion  functions  which  are  strict 
and  continuous  (i.e.,  which  preserve  l  and  least  upper  bounds  of  directed 
sets).  Specifically,  the  following  carrier  is  appropriate  for  direct 
semantics : 

B(t  exp)  ■  S  -+  [BD(t)Jx 
B (comm)  =  S  [S  ]  ^ 

B(t  acc)  =  BU(t)  -*•  B(comm) 

vaT)  =  acc)  x  B(t2  exP^ 

B(ns)  =  (l) 

B(t  exp  _<  t  '  exp)  =  Xv.  v;[B°(t  _<  t  * ) ) 

B(t  acc  £  t*  acc)  *  Xa.  BD(t'  _<  t)  ;  a 

var  <  Ti  acc)  =  *(a,  v)  •  a 

B ( t ^ t 2  var  <  t2  exp)  =  X(a,  v) .  v 

8(^1  j  var  i  T[r2  var^  =  1  —  T  1  — — ^  *  B^T2  exp  —  T2  exp^ 

B(uj  <  ns)  =  Xx.  .  • 

-  B (ns) 

Here  S  is  an  unspecified  set  of  store  states.  For  any  set  X,  l X J x  denotes 
the  flat  domain  obtained  by  adding  1  to  X.  For  any  function  f  t  X  -*•  X'  , 
l  f  )  ^  denotes  the  strict  extension  of  f  to  [X]^  -*■  ( X  ’  ]  ^  . 

Basically,  the  meaning  of  a  command  is  a  state  transition  function 
(with  result  i  for  nontermination),  the  meaning  of  an  acceptor  is  a  function 
from  data  values  to  state  transition  functions,  and  the  meaning  of  a  variable 
is  a  pair  giving  both  the  meaning  of  an  acceptor  and  of  an  expression.  Notice 
that  this  way  of  defining  variables  avoids  the  mention  of  any  entities  such  as 
Litrachey's  L-values.  (As  a  consequence,  our  definition  permits  strangely 
behaved  variables  akin  to  the  implicit  references  in  GEDANKEn/  ) 
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NexC  we  consider  operators.  Each  operator  of  the  data  algebra  becoaes 
an  expression-producing  operator  of  the  imperative-language  algebra.  If 
&  t  A®,  then  6  t  with  the  specification  given  by: 

a6  -  (nV 

4>  **  $n  ,  where  $  e  -*■  ft  i6  the  function  such  that 

0 

$(x)  “  _if_  x  “  n^  then  ns  else  t  exp  , 


To  define  the  interpretation  of  6  we  must  give  a  natural  transformation  y 

from  to  F  ;B  ■  r^;#;B.  Thus  ...  ,  r  )  must 

o  oo  no  i  n 

be  a  function  from  B($(x.,))  *  ...  x  B($(x  ))  to  B((KF,(x..,  ...  ,  t  ))). 

_  i  n  u  l  n 

If  ...  ,  i  )  is  ns,  then  ...  ,  t  )  will  be  the  unique  function 

o  1  n  —  o  i  n 

from  B($(x^))  x  ...  x  B(|(tn))  to  B(ns).  Otherwise,  none  of  the  x^  will  be 


ns,  and  i *  •••  »  Tn)  wiH  be  the  function  from  B(x^  exp)  x  ...  x  B(xn  exp) 

■  (s  -►  [B°(x  )]  )  x  ...  X  (S  -*■  [BD(t  )]  )  to  B(r°(x . x  )  exp) 

li.  ni  61  n 

-  S  -»■  [B  (F  (x  ,  ...  ,  x  ))]  such  that 
o  i.  n  x 


Y  (x  ,  ...  .  T  )(v  ,  • • •  »  v  ) 
6  1  n  1  n 


“  \a  e  S.  (y,(t1,  ...  1 1  )  ] (v. (o) ,  ...  ,  v  (a))  , 
o  i.  n  -Li  i  n 

where  [Y?(tn»  •••  )3  denotes  the  extension  of  Y?(t.,  ...  ,  x  )  such  that 

6  1  n  xi  6  1  n 

Cy6<T1’  ’  Tn^ii(xl’  "•  •  xn>  *  1  if  any  xi  * 

Assignment  is  an  operator  :=  c  This  is  the  one  case  which  we  cannot 

define  by  using  an  adjunction  from  a  set  of  keys.  The  specification  is 

r.-(w1,w2)  *  i_f  (  3x  c  hD  -  {ns.})  <_  x  acc  and  —  T  exP 

then  comm  else  n_s 

If  a  data  type  x  meeting  the  above  condition  exists,  then  the  interpretation 


Y.ii(u1,w2)  =  A(a,v) .  let  a’  =  BCu^  <_  x  acc)  (a)  and  v’  «  B(u2  <_  x  exp)(v) 


ini)  (v’;[a']  )  ; 
—  comm  & 
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otherwise 


ir..<v»2>  •  xu.v).  ib(2£)  . 

Here  [•']  1*  the  i-preserving  extension  of  a*  from  B  it)  -*  Bfcomm)  to 

JJ  ^  ”” 

IB  (T)  "*■  B (comm) ,  and  ^conun  e  (S  -*■  B (comm) )  -*■  B(comm)  is  the  diagonalizing 

function  such  that 

°oo»<h)(o)  ■  h(0)<°>- 


A  subtlety  in  this  definition  is  that  the  data  type  t  may  not  be  unique. 
For  example,  if  is  real  acc  and  is  integer  exp  then  t  can  be  either 
integer  or  real.  However,  the  definition  still  gives  a  unique  meaning  to 
y .m'  Basically,  this  is  because  the  structure  of  £}  insures  that,  if 


T  acc  t '  acc  x  exp  t '  exp 

('/  and  *'/ 

“l  “2 


then  there  are  data  types  x^  and  such  that 


t  acc 


acc 


t  exp  t  exp 


x  ^  acc 

VI 

ID, 


and 


t2  exp 

VI 

iD- 


Then  the  definition  of  B  for  the  implicit  conversion  of  acceptors  and 
expressions  implies  that  the  diagram 


BCo^)  x  B(id2) 


B(id^  _<  T^acc)  x  B(u>2  _<  x2exp) 

.  B(t  acc  ^  x  acc)  x  B(x~ex£  _<  t  exp) 

B^acc)  x  B(x2exp) - »  B(x  acc)  x  B(x  exp) 


B(x^acc  x  ’acc)  x  B(x2exp  x  'exp) 

A(a’,v').  D  m(v';[a'l  ) 
B(x'acc)  x  B(x 1  exp)  - &— 


X(a,v) . 

D  (v;[a]  ) 
comm  4 


B(comm) 


of  functions  commutes.  A  slight  extension  of  this  argument  shows  that  y 
is  a  natural  transformation. 


B-32 


Next  we  consider  conditional  phrases.  It  is  trivial  to  define  a 
particular  type  of  conditional  phrase  such  as  a  conditional  command,  but 
the  definition  of  a  generic  conditional,  applicable  to  arbitrary  phrase 
types,  is  more  challenging.  Obviously,  boolean  must  be  a  data  type,  with 
B  (boolean)  ■  {true, false) .  Less  obviously,  ft  must  possess  all  binary 
least  upper  bounds.  (Note  that  this  imposes  a  restriction  upon  ft*\) 

Under  these  conditions,  we  can  define  e  with  the  specification 

Aif  ‘ 

3 

♦  ^  e  SI  -*•  ft  is  the  function  such  that 

^  .(u)  -  if  u  *  ns  then  <ns,ns,ns>  else  <boolean  exp ,qi , cu> 

X I  1  ~  "  ■  *• 

7  *  i 

1  i£  ft 

3 

Then  the  left  adioint  of  4>  is  the  function  e  f 1  ft  such  that 

if  if 

^if (“i,w2,u)3)  “  —  ‘‘'i  —  boolean  exp  then  U  else  ns  . 

(From  the  proposition  in  the  previous  section,  it  can  be  shown  that  if  there 
are  in  ft  which  do  not  possess  a  least  upper  bound  then  $  has  no  left 

adjoint. ) 

To  determine  the  interpretation  of  if_,  we  must  give  a  natural  transfor- 

—  3  (3)  —  — 

mation  y  ^  from  <5;B  ;*  to  T;B  ■  B.  When  w  =  ns,  yif(in)  is  the  unique 

function  from  B(ns)  x  B(ns)  x  B(ns)  to  B(ns).  Otherwise  it  is  the  function 

from  B(boolean  exp)  *  B(w)  x  B(u)  to  B(id)  such  that 

Y . ,(w) (v.f ,g)  ■  D  (v;[Ab  £  {true, false),  if  b  then  f  else  g]  )  , 

1 1  U)  _  ^ 

where  D  is  the  ft- indexed  family  of  diagonalizing  functions,  e 
(S  -*  B(u))  -*■  B(w)  such  that 


D  ■  Ah  c  S  -»  (S  -»  [B  (  t  )  ]  ).  Ao  e  S,  h(a)(o) 

t  exp  i 


comm 


r  ac.c 


\h  c  S  +  (S  +  (SJ  ).  Aj  f.  S.  h(o)(o) 

=  Ah  e  5  (BD(t)  ■+  (S  •+  [S]^)).  >x  c  BD(t).  Ao  e  S.  h(a)(x)(o) 


var 


Ah 


e  S  -*■  B ( t  1  acc)  x  B  (  t  2  exp) 


ns 


Ah  £  S 


i  ^  acc 


(h ; ( A (a,v) . a) ) ,  D  (h; (A(a,v) .v)) 

-1 2  exP 


B(^}-  AB(ns) 


B-33 


r — - r 


i 


(Notice  that  D  also  occurred  in  the  definition  of  assignment.)  This 
comm 

family  has  the  property  that,  for  all  w.ui'  t  ft  such  that  w  w'  and  all 
h  e  S  -*■  B(u>) , 

B(w  <  u')(D  (h))  -  D  ,(h;B(m  <  u»’))  . 

—  U)  u  — 

It  is  this  property  that  insures  that  y  ^  is  a  natural  transformation. 

Finally,  for  completeness,  we  define  operators  for  statement  sequencing 
and  a  while  statement.  Since  these  operators  are  not  generic,  their 
definition  is  straightforward: 


;  e  ,  while  e  £>2 

A  =  A  ,  ,,  =  {comm,  ns)  with  the  same  partial  ordering  as  ft. 

while - — 


(comm)  =  <c.onim, comm>  ,  xia^comm^  “  <^)00^ean  exp , comm> 


(ns)  =  •fwhllt2(ns)  =  <ns,ns> 
(comm)  =  rwhiie (comm)  =>  comm 


(ns) 

(ns)  =  y 


while  —  — 


while 


(ns)  is  the  unique  function  from  B(ns)  *  B(ns)  to  B(ns) . 


(comm)  *  e  S  -*■  [Sj  ^ ,  c2  e  S  •+  [S]^).  ci  J  f  c2 

y  ,  ,,  (comm)  *  A(v  e  S  -*•  [{ true , false }]. ,  c,  c  S  -*•  [S].). 
while  -  - 11  l 


Y(ACt  e  S  -*■  [S]  .  D  „mm(v;[Ab.  if  b  then  (c  ;[c  ]  )  else  J]  )  . 

2  l  comm  —  -  i  i 

Here  J  is  the  identity  injection  from  S  to  [ S ] ^  and  Y  is  the  least-fixed-point 

operator  for  the  domain  S  -*•  [S]^. 


Future  Directions 

The  approach  described  in  this  paper  is  still  far  from  being  able  to 
encompass  a  full-blown  programming  language.  In  particular,  the  following 
areas  need  investigation: 

(1)  Binding  mechanisms,  i.e.  declarations  and  procedures. 

(2)  Products  of  types,  i.e.  records  or  class  elements. 

(3)  Sums  of  types,  i.e.  disjoint  unions. 

(4)  Type  definitions,  including  recursive  type  definitions. 

(5)  Syntactic  control  of  interference.^ 
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In  the  first  three  of  these  areas,  our  ideas  have  progressed  far  enough 
to  suggest  the  form  of  the  partially  ordered  set  of  phrase  types.  One  wants 
a  set  ft  satisfying 


n  -  n  .  +n  ,  +o  .  +n 

primitive  procedure  product  sum 

Here  +  denotes  some  kind  of  sum  of  partially  ordered  sets.  (At  present,  it 
is  not  clear  how  this  sum  should  treat  the  greatest  type  ns  or  a  possible 
least  type.)  The  partially  ordered  set  ^prjm^t^ve  *3  similar  to  the  0 
described  in  the  previous  section,  and 


fl  ,  ”  {(i),  +  U.  I  lil,  ,  (il,  £  11} 

procedure  1  2  1  1  2 

Jl  ,  ■  (product  (w, ,  ...  ,  ui  )  I  n  >  0  and  u, ,  . . .  ,u  t  0} 

product  -  1  n  —  1  n 

£5  ■  {sura(oj,  ,  ...  ,  oi  )  I  n  >  0  and  . . w  } 

sum  -  1  n  1  —  1  n 

The  main  novelty  is  the  partial  ordering  of  ^proce(jurg'  006  wants 
procedure  types  to  satisfy 


(w  -*■  ui2)  <_  («[  -*•  up  if  and  only  if  u>j  <_  and  u>2  <_  , 

so  that  the  type  operator  -*■  is  antimonotone  in  its  first  argument.  For 

example,  suppose  integer  exp  real  exp .  Then  a  procedure  of  type 

real  exp  •»  boolean  exp,  which  can  accept  any  real  expression  as  argument, 

can  also  accept  any  integer  expression  as  argument,  and  should  therefore  be 

permissible  in  any  context  which  permits  a  procedure  of  type  integer  exp 

boolean  exp.  Thus  (real  exp  ■*  boolean  exp)  £  (Integer  exp  -►  boolean  exp) . 

op  op 

It  follows  that  Q  .  will  be  isomorphic  to  ft  *  fl,  where  ft 
procedure 

denotes  the  dual  of  fl.  This  raises  the  question  of  how  one  solves  the 
recursive  equation  describing  il.  The  simplest  answer  is  to  Impose  an 
appropriate  ordering  on  the  least  set  satisfying  this  equation.  The 
resulting  fi,  however,  will  not  contain  certain  limits  which  will  be  needed 
to  deal  with  recursive  type  definitions.  One  would  like  to  use  Scott's 
methods  to  treat  recursive  definitions,  but  these  methods  do  not  encompass 
the  operation  of  dualizing  a  partial  ordering. 
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This  difficulty  does  not  arise  for  products  or  sums,  where  conventional 
pointwise  ordering  seems  natural.  However,  a  richer  ordering  becomes 
attractive  when  named,  rather  than  numbered,  products  and  sums  are  considered. 
Suppose  we  redefine 


fiproduct  *  {product(ai)  |  u  c  N  >  B  for  some  finite  set  N  of  names}  , 
and  similarly  for  ^gum*  Then  the  following  ordering  can  be  used: 
product (m)  <  product(u')  whenever 

domain(a))  =  domain(ui')  and  (Vn  e  domain(w' ))  u(n)  £  io'(n), 
sum((>))  ^  sum(ai')  whenever 

domain(ui)  c  domain(u')  and  (Vn  e  domain(w))  w(n)  <  u'(n). 


The  first  ordering  permits  implicit  record  conversions  which  forget  fields. 
The  second  ordering  permits  implicit  conversions  of  disjoint  unions  which 
broaden  the  number  of  alternatives  in  a  union. 

In  particular,  the  second  ordering  solves  a  long-standing  problem  in 
the  type-checking  of  disjoint  union  expressions.  Suppose  p  is  a  phrase  of 
type  u,  and  make-n  denotes  the  injection  into  a  disjoint  union  corresponding 
to  the  alternative  named  n.  Using  bottom-up  type  analysis,  how  doer,  one 
determine  the  type  of  make-n (p) ?  The  answer  is  that  the  type  is  sum(n:ui) , 
which  is  a  subtype  of  any  sum  of  the  form  sum(  ...  ,  n:w,  ...). 
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APPENDIX 


In  this  appendix  we  will  demonstrate  the  existence  of  free  category- 
sorted  algebras  by  constructing  an  appropriate  adjunction.  Our  basic 
approach  will  be  to  connect  category-sorted  algebras  with  ordinary  one-sorted 
algebras  in  order  to  use  the  known  existence  of  free  ordinary  algebras. 

We  begin  by  stating  several  general  properties  of  adjunctions  which  will  be 
used  in  our  development. 


Proposition  Suppose  U  is  a  functor  from  K'  to  K,  F  is  a  function 
from  |K|  to  ]k* j,  and  n  is  a  |K|-indexed  family  of  morphisms 
h(X)  e  X  £  U(F(X) )  such  that: 


For  all  X  e  |K|,  X'  e  |K’|,  and  p  e 

exactly  one  morphism  p  e  F(X)  ■,  Xr 

K. 


X  rf  U(X’ )  there  is 

i\. 

such  that 


commutes  in  K. 


Then  there  is  exactly  one  way  of  extending  F  to  be  a  functor  from 

K  to  K'  such  that  F  is  the  left  adjoint  of  U  with  n  a,;  the  associated 

natural  transformation.  Namely,  for  each  0  e  X  ■*  X' ,  F(0)  must  be 

K. 

the  unique  morphism  such  that 


n(X) 


■>  U(F(X) ) 


0 

n(x') 


ju(F(e)) 

»U(F(X')) 


commutes  in  K. 


We  omit  the  proof  (11, p.  116),  the  main  point  of  which  is  to  show  that  the 
extension  of  F  preserves  composition  and  identities.  The  utility  of  this 
proposition  is  that,  in  specifying  adjunctions  it  is  only  necessary  to 
specify  the  object  part  of  the  left  adjoint. 
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Next,  we  consider  the  composition  of  adjunctions: 

Proposition  Suppose  U  is  a  functor  from  K'  to  K  with  left  adjoint  F 
°nd  associated  natural  transformation  n,  and  U'  is  a  functor  from  K" 
K'  with  left  adjoint  F'  and  associated  natural  transformation  n’ • 

Let 

U”  -  U';U 
F"  -  F;F' 

n"(x)  *  n(x) ;Ku(n* (F(x) ) )  . 

Then  U"  is  a  functor  from  K"  to  K  with  left  adjoint  F"  and  associated 
natural  transformation  n". 


Again  we  omit  the  proof  (9,  p.  101), 

Finally,  we  introduce  the  construction  of  categories  over  distinguished 
objects,  and  show  that  an  adjunction  between  such  categories  can  be  built 
out  of  an  adjunction  between  the  categories  from  which  they  have  been 
>.  instructed. 

Let  K  be  a  category  and  T  c  j K | .  Then  KIT,  called  the  category  of 
objects  over  T,  is  the  category  such  that 


(a)  |KiT|  -  (X,  t  |  X  e  |k|  and  t  e  X  £  T)  , 

K. 

(b)  X,t  X',t'  is  the  set  of  morphisins  p  e  X  X'  such  that 


commutes  in  K. 


(c)  Composition  and  identities  are  the  same  as  in  K. 


Then: 


Proposition  Suppose  U  is  a  functor  from  K'  to  K  with  left  adjoint 
F  and  associated  natural  transformation  n»  Suppose  T*  e  |K'|and 
T  »  U(T').  Let  U  be  the  functor  from  K'lT*  to  KlT  such  that 
U(X\t')  -  U(X')  .UCt')  and  U(p)  -  U(p).  Then  U  has  a  left  adjoint 
F  and  an  associated  natural  transformation  n  such  that 

F(X,t)  -  F(X),r 

n(x,T)  -  n(x)  , 

A 

where  t  e  F(X)  T'  is  the  unique  morphism  such  that 


commutes  in  K. 

Proof:  We  leave  it  to  the  reader  to  verify  that  U  is  a  functor  from 
K'lT'  to  KIT,  that  F  is  (the  object  part  of)  a  functor  from  KIT  to  K'iT', 
and  that  n(X,T)  c  X,t  k^t  U(F(X,t)).  To  show  the  adjunction  property, 
suppose  X,te  jKlT j ,  X'.r'e  |K'lT'|,and  p  e  X,t  U(X',t').  Then  we  must 
show  that  there  is  exactly  one  P  e  F(X,t)  X',t’  such  that 


U(F(X,t) )  -  U(F(X)),U(t) 
U(p)  »  U(p) 

U(X\t’)  -  U(X' ) ,U(t ' ) 


commutes  in  KlT. 

A 

Since  composition  is  the  same  in  KlT  as  in  K,  p  can  only  be  the  unique 
morphism  in  F(X)  X'  such  that 


x  - iW - »U(F(X)) 


U(X') 
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commutes  in  K. 

A 

However,  we  must  show  that  p  actually  belongs 
set  of  morphisms  F(X,t)  k,^t,  X',t*.  To  establish 
p  e  X , T  K^T  U(X'.t’)  -  X , t  U(X' ) ,U(t ' )  implies 


to  the  more  restricted 
this,  we  note  that 
that 


X - S — »U(X') 

^J(t') 


commutes  in  K,  which  in  conjunction  with  the  previous  diagram  implies  that 


n(X) 


->U(F(X>) 


U(p);  u(t')  -  u(p ;t ' ) 


A  A  A  A 

commutes  in  K.  Then  the  uniqueness  of  t  gives  p;x  =  t,  so  that  p  e 
F (x) ,T  K,^T,  X' ,r '  -  F(X,t)  K,fT,  X' ,r ' . 

Now  we  can  apply  these  general  results  to  the  specific  case  of  interest. 

Let  HAT  be  a  fixed  but  arbitrary  category-sorted  signature,  let  CALG  (called 

ALG„  _  in  the  main  text)  be  the  category  of  tlAT-algebras  and  their  homo- 

uAr 

morphisms,  and  let  ALG  be  the  category  of  A-algebras  and  their  homomorphisms : 
(1)  A  A-algebra  consists  of: 


(la)  A  carrier  R,  which  is  a  set. 

(lb)  For  each  n  _>  0  and  6  e  A^,  an  interpretation  e  Rn  R. 


(2) 


If  R,o  and  R',a'  are  A-algebras,  then  a  homomorphism  from  R,o 
to  R',o'  is  a  function  h  e  R  -*■  R'  such  that,  for  all  n  _>  0 
and  A  e  A  ,  the  diagram 


of  functions  commutes. 


« 


The  known  existence  of  ordinary  free  algebras  can  be  seated  in  the 
language  of  adjunctions  by: 

Let  be  the  functor  from  ALG  to  SET  which  maps  algebras  into 

their  carriers  and  homomorphisms  into  themselves.  Then  U. 

A 

possesses  a  left  adjoint  with  an  associated  natural 

transformation  q.. 

A 

Here  Fa(S)  is  the  free  A-algebra  generated  by  S,  and  nA(S)  is  the  embedding 

of  S  into  the  carrier  of  F,(S). 

A 

Of  particular  importance  is  the  A-algebra,  which  we  will  call  Tf  in  which 

the  carrier  members  are  sorts  and  the  interpretation  of  each  operator  is  its 

category-sorted  specification.  More  precisely,  T  is  the  A-algebra  |n| ,  r  , 

ob 

where  each  T  ,  ,  is  the  object  part  of  the  functor  T,. 

OD,0  6 

We  now  introduce  the  categories  ALG4T  and  SETl|ft|.  An  object  of  ALG4T 

can  be  thought  of  as  a  A-algebra  equipped  with  an  assignment  of  sorts  to  the 

members  of  its  carrier.  Similarly,  an  object  of  SETl|ft|  can  be  thought  of 

as  a  set  equipped  with  an  assignment  of  sorts  to  its  members.  Since  |ft|  - 

U  (T) ,  our  last  general  proposition  gives: 

A 

Let  UT  be  the  functor  from  ALGJT  to  SETlJj}|  such  that  UT(<R,a>,i) 

•  L'A(R,o)  ,Ua(t)  »  R,t,  and  UT(h)  ■=  UA(h)  “  Then  UT  has  a  left 
adjoint  F^  and  an  associated  natural  transformation  n^.  such  that 

Fx(S,t)  -  Fa(S)’^ 

nT(s,r)  =  nA(s.)  , 

where  t  e  f.(S).^rT  is  the  unique  morphism  such  that 


commutes  in  SET. 

Informally,  a  type  assignment  to  a  set  can  be  extended  to  the  free  A-algebra 
generated  by  that  set  by  using  the  specification  r  to  interpret  the  operators 
in  A. 
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Our  final  (and  most  complicated)  task  is  to  construct  an  adjunction 
from  ALG4T  to  CALG.  Let  be  a  functor  from  CALG  to  ALGJT  whose  action 
on  objects  is  given  by: 

Uc(B,,y’)  -  <R',o'>,t'  where 

R'  •  {u,x'  |  u  e  | £2 1  and  x'  e  B *  (u») }  , 

o'  e  R,n  R'  is  the  function  such  that 

4  (i) 

O'(<0)1  ,x!>,  ...  ,  <u>  ,x’>)  - 
oil  n  n 

T ,  (w.  ,  ...  ,  oi  )  ,  Y .  (uj,  i  ...  ,  <>)  )  (x ' ,  ...  ,  x')  , 
oi  n  oi  ni  n 

t'  e  R'  -*■  |fi|  is  the  function  such  that  t'(u),x')  ■  u  . 

(The  variables  in  this  definition  have  been  primed  to  facilitate  its  applica¬ 
tion  to  later  developments.)  The  reader  may  verify  that  t'  is  an  homomorphism 
from  R' ,o'  to  T,  so  that  <R',o'>,t'  is  an  object  of  ALGlT.  Intuitively,  the 
action  of  U^,  on  objects  is  to  forget  the  morphism  part  of  B'  (i.e.,  the 
implicit  conversion  functions)  and  to  collapse  the  object  part  of  B'  into  a 
disjoint  union  R'  of  its  components,  with  a  type  assignment  t'  which  remembers 
which  component  of  B*  was  the  source  of  each  member  of  R' . 

To  specify  the  action  of  Uc  on  morphisms,  suppose  0  e  B,y  B'.y', 

and  let  <R,o>,t  ■  Uc(B,y)  and  <R,,o’>,t'  =  U^CB'.y').  Then 

U  (0)  e  R  ■+  R'  is  the  function  such  that 

v 

uc(e) u,x)  =  u,e(cj)(x)  . 

The  reader  may  verify  that  U  (0)  is  an  homomorphism  from  R,o  to  R',o'  (which 
depends  upon  the  fact  that  0  is  an  homomorphism  from  B,y  to  B'.y'),  that 

uc(0) 


emiutes  in  ALG,  so  that  U^(0)  c  <R,o>,t  ^GlT  <R,»0  >»T'*  anc*  that 
preserves  composition  and  identities. 
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Next,  let  Fc  be  the  functor  from  ALGlT  to  CALG  such  that 
Fc(<R,o>,t)  -  B,y  where 

B(o>)  -  {r,i  |  r  e  R  and  t  e  x(r)  ^  w}  , 

B(p  e  ui  ^  u')  e  B(ai)  -*■  )  Is  the  function  such  that 

B(p)(r,\>  -  r,(t;nP>  , 

y.(u.,  ,  u)  )  e  BCuj  )  x  ...  x  B(w  )  -*■  B(r.(u). . .  )) 

oi.  nj.  n  6  1  n 

is  the  function  such  that 


y.(o)  ,  ...  ,  w  )(<r  ,i  >,  ...  ,  <r  ,t  >)  - 
o  1  nil  n  n 

°6(rl*  ’  V’VV  *•*  *  Xr?  * 

.  ,  w^)  is  a  function  of  the  correct  type,  suppose  that, 
for  1  <  i  <  n,  <rl,li>  e  Then  each  e  tO^)  +  w.  Thus 

. tR)  £  r6(T(rT),  ...  ,  T(r^))  +  *•*  *  wn^  ’  But  since 

T  is  an  homomorphism  from  R,o  t  T  3  l^l*F0^»  this  set  ls  also 


To  see  that  y.(u>.., 

V  1 


rn^  S  V“l- 


,  u)  ) ) .  Thus  <a  (r . r  ) , 

xi  Oi  n 


r6(ii»  ...  ,  ir)>  c  B(T4(u^,  ...  ,  «n)).  The  reader  may  also  verify  that  B 
is  a  functor  from  fl  to  SET  and  y^  is  a  natural  transformation  from  Bn;x^ 
to  T;B. 

Intuitively,  one  can  think  of  t  as  assigning  a  "minimal"  type  to  each 
member  of  R,  and  of  a  member  of  B(uj)  as  a  member  of  R  paired  with  an  implicit 
conversion  from  its  minimal  type  to  u. 

For  any  object  <R,o>,t  of  ALGlT, 

Uc(Fc(<R.0>,t))  3  <R,o> ,t  where 

R  3  {w,<r,i>  |  u>  c  |sij  and  r  c  R  and  i  r  i(r)  ■*  u)  , 


a.  e  R  +  R  is  the  function  such  that 
0 

c  C<u  ,<r  ,i  >>,  ...  ,  <-*>  .<r  ,i  •>)  - 
o  i  1  i  n  n  n 

r .  (id  .  ,  ...  ,  j  ),  *"o  (r  ,  ...  ,  r  )  ,r,(i,  , 
oi  n  oi  noi 


t  e  R  -*•  Ini  is  the  function  such  that  r(w,<r,i>)  3  a> 
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Let 


nc(<R,o>,T)  e  R  -*■  R  be  the  function  such  that 
nc(<R,o>,T)(r)  -  r(r),<r,I^rj>  . 

The  reader  may  verify  that  nc(<R,o>,x)  is  an  homomorphism  from  R,o  to  R,o 

(which  depends  upon  the  fact  that  t  is  an  homomorphism  from  R,o  to  T  ■  I  fj  I  p  ), 

ob 

and  that 


commutes  in  ALG.  Thus  nc(<R,o>,x)  e  <R,a>,x  <R,a>,x  -  <R,o>,t  ^ 

Uc(Fc(<R,o>,t)). 

Now  we  will  show  that  Fc  is  a  left  adjoint  of  Uc>  with  associated 
natural  transformation  nc.  Let  <R,o>,x  be  an  object  of  ALGlT,  let  B',y'  be 
an  object  of  CALG,  and  let  h  be  a  morphism  in  ALGlT  from  <R,o>,t  to  U^B'.y'). 
where  U^B'.y')  ■  <R',o'>,x'  is  described  by  (1). 

Since  h  is  a  function  from  R  to  R' ,  the  definition  of  R'  implies  that 
h(r)  will  be  a  pair  u,x',  where  x'  e  B'(u>).  Moreover,  since  h  is  a  morphism 
in  ALGiT, 

R, o - - — >  R'  ,o ' 

T 


must  commute  in  ALG,  so  that  T(r) 
(h(r) ] 


t 1  (h(r))  -  t'(u),x') 


Thus 


Fc(<R,o>,t) 


x  x (r)  and  (h(r)]2  e  B* (t (r) ) . 

se  fi  is  any  morphism  in 

B,y  is  described  by  (2),  and  consider  the  diagram 


Now  suppose  fi  is  any  morphism  in  Fc(<R,o>,x)  C^LG  B',y'»  where 


/ 
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C'‘C' 

uc(h) 

u^b'.y') 


(D) 


In  ALGH. 

From  the  definitions  of  nr  and  of  the  action  of  U  on  morphlsms, 

L  C 

we  have 

uc(h)(nc(<R.a>,T)(r))  -  Uc(h)(T(r),<r,I^r^>)  =■  t  (r)  ,h(t  (r) )  (r  ,I^r 


Thus  the  diagram  (D)  will  commute  if  and  only  if,  for  all  r  e  R, 


h(T(r))(r,lJ(r))  =  (h(r)]2  . 

Moreover,  since  h  is  a  category-sorted  homomorphism  from  B,y  to  B',y'> 
it  is  a  natural  transformation  from  B  to  B'.  Thus  for  all  r  e  R,  u>  e  |ft| , 
and  i  e  t(r)  ^  u, 


B(x(r)) 
B(0 
B(u) - 


h(t  (r) ) 


h(m) 


->  B' (f (r)) 
B'(i) 

-»  B’(uj) 


commutes  in  SET.  In  conjunction  with  the  action  of  B  on  morphisms,  this  gives 

h(w) (<r,;>)  -  h(u)(B(i)(r,lJ(r)))  -  B'  (t) (h(x (r) ) (r ,lj(r)) )  . 

Thus  diagram  (D)  will  commute  if  and  only  if 

h(ui)  (<r ,  i  >)  ■  B'(i)([h(r)]2) 

holds  for  all  r  e  R,  u  e  |ft|,  and  i  e  x(r)  +  u. 

Since  this  equation  completely  determines  h,  the  adjunction  property  will 
hold  if  the  resulting  h  is  actually  a  category-sorted  homomorphism  from  B,y 
to  B'  ,y'  •  We  leave  it  to  the  reader  to  verify  that  h(u>)  e  B(u>)  •+■  B'(id),  and 
that,  because  of  the  action  of  B  on  morphisms,  h  is  a  natural  transformation 

A 

from  B  to  B'.  The  one  nontrivial  property  to  be  shown  is  that  h  satisfies 

the  homomorphic  relationship  with  the  interpretations  y  and  y'.  that 

for  all  n  >  0,  6  e  A  ,  and  w, ,  ...  ,  u>  e  |fl|, 

—  n  i  n 
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BO^)  *  ... 
h(u^)  ^  •  • 
B'(u  )  x  .. 


x  B(w  ) 
n 


Y ^ (w^ »  • * •  » 


x  h(u  ) 
n 

X  B 1 (u  ) 

n 


Y6(V 


V 


“n> 


->B(r6(Ul, 

fi(W 

*  B'd^, 


,  *n» 

.  *n)> 
,  .n)> 


commutes  in  SET. 

To  see  this,  suppose  <r,,i  >,  ...  ,  <r  ,i  >  e  B(ui,)  x  ...  x  b(uj  ). 

J-  i  n  n  l  n 

Then 


A 

h<r6(u,i,  ...  ,  u>n>)  *•*  *  un^<rl,'l>*  *  <rn,ln>^ 

“  ...  ,  %Mo6irv  ...  ,  rn),  r6(t2 . in)) 

-  B'(r6(i1,  ...  ,  in))([h(o6(r1,  ...  ,  rn))]2) 

-  B’(r6(t1,  ...  ,  xn))([o;(h(ri) .  h(rn))]2) 

since  h  is  an  homomorphism  from  R,o  to  R',o' 


■  B'  (r6 (x x ,  ...  ,  ...  ,  T(rn))([h(r1)]2 . [h(rn)]2>) 

by  the  definition  of  o^  given  in  (1) 

-  . a>n)(B'(i1)ah(r1)32) . B'(in)([h(rn)]2)) 

n  (n) 

since  y!  is  a  natural  transformation  from  B'  ;xv  'to  r,;B' 

0  0 

*  y'(w,»  •••  ,  0)  )(h(w.)(r.  ,i  ) ,  ...  ,  h(w  )(r  ,i  )) 
ol  n  ill  nnn 

In  summary,  we  have  constructed  the  adjunctions 


SETA | ft | 


ALGAT 


CALC 


with  associated  natural  transformations  and  n^.*  The  adjunction  used  in 
the  main  text  is  the  composition  of  these  adjunctions: 


U  -  UC;UT 

F  B  FrFc 


n(s,Ts)  ■  nT(s,Ts> ;SEta |u|UT^nc^FT^s,Ts^^  * 
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The  free  flAr-algebra  F(S,Tg)  generated  by  S.ig  is  given  explicitly 
by  (2),  where  R ,o  Is  the  free  A-algebra  generated  by  S  and  r  e  R  -*•  |q| 
la  the  unique  homomorphism  such  that  n^(S) ; t  -  . 

In  the  special  case  where  Q  Is  a  preordered  set,  there  is  at  most 
one  i  e  t(r)  ^  u,  so  that  (2)  Is  Isomorphic  to  the  much  simpler  definition: 

B(w)  ■  {r  |  r  e  R  and  i(r)  <_  u} 

B(oj  £  u')  is  the  Identity  Inclusion  from  B(u)  to  B(ai’), 

Y ,  (w« ,  .  •  •  ,  tij  )  (r^ ,  •  i  •  i  r  )  *  a  (r  ,  •  •  •  ,  r  )  • 
ox  n  i  nol  n 

In  this  case,  B(u>)  is  simply  the  subset  of  the  terms  of  the  ordinary  free 

A-algebra  whose  minimal  sort  is  a  subsort  of  ui,  the  implicit  conversion 

functions  are  all  identity  inclusions,  and  the  operators  are  interpreted 

the  same  way  as  In  the  ordinary  free  algebra. 
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APPENDIX  C;  SPECIFICATION  LOGIC 


This  presentation  of  specification  logic  is  based  upon  a  subset  of 
Algol  W  that  has  been  augmented  by  refining  its  type  structure  and 
introducing  lambda  expressions,  as  in  idealized  Algol. 

The  phrases  of  this  language  are  categorized  by  phrase  types,  which 
are  described  by  the  following  grammar: 

<data  type>  : :=  integer  |  real  j  logical 

<phrase  type>  ::=  <data  type>  variable  |  <data  type>  expression 
I  <data  type>  array  variable  (<dimension  list>) 

|  <data  typo  array  expression  (<dimension  list>) 


-  -v 


|  statement  |  assertion 

I  pro  dure  (<phrase  type  list>) 

-  - 

|  <daua  type>  procedure  (<phrase  type  list>) 
<phrase  type  list>  : :=  <phrase  type> 

j  <phrase  type  list>  ,  <phrase  type> 
<dimension  list>  ::=  *  |  <dimension  list>  ,  * 


The  symbols  exp  and  var  are  often  used  to  abbreviate  expression  and  variable. 

'  N  '  '  '  -\ - — s 

Let  Mg  be  the  set  of  meanings  appropriate  to  the  phrase  type  0. 

In  particular,  let 


M  ,  =  S  V 

t  expression  t 

M  .  .  =  S  ■*  {true,  false} 

assertion  — — -  — \ 


M 


statement 


„  *  li). 

S  “►  (S  u  S  )  , 


where  S  is  the  set  of  states  (mappings  of  variables  into  values)  and  is 


the  set  of  values  appropriate  to  the  data  type  t, 
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Here  Che  form  of  M  reflects  the  partially  operational  view 

statement 

that  the  meaning  of  a  statement  maps  a  state  o  into  the  finite  or  infinite 

sequence  of  states  that  occur  during  execution  of  the  statement  starting 

with  o.  The  inclusion  of  intermediate  states  in  this  definition  is 

necessary  for  the  definition  of  noninterference  specifications. 

An  environment  is  a  mapping  on  the  set  of  identifiers  that  maps  each 

identifier  of  phrase  type  0  into  a  member  of  M  .  We  write  [Pi  for  the 

a  n 

meaning  of  a  phrase  P  in  an  environment  r\. 

Then  the  meanings  of  the  various  forms  of  specifications  used  in 
spec  ication  logic  can  be  defined  as  follows: 

(1)  If  P  and  Q  are  assertions  and  S  is  a  statement  then 

i  {P}  S  { Q > ij  is  true  if  and  only  if,  for  any  state  o  such  that 

n 

8 Pj  (a)  is  true,  the  sequence  { SJ  (a)  is  either  infinite  or 
n  n 

concludes  with  a  final  state  o,  such  that  |QJ  (o,)  is  true. 

t  n  f 

(2)  If  P  is  an  assertion,  then  I {P >1 ^  is  true  if  and  only  if 

I  Pi  (a)  is  true  for  all  states  o. 

n 

(3)  For  n  >_  1,  if  S^,  ...  ,  S^  and  5  are  specifications  then 

IS,  &  ...  &  S  °  SJ  is  true  if  and  only  if  either  ISJ  is  true 
1  n  T)  n 

or  some  (S.I  is  false, 
i  n 

(4)  If  1^  is  an  identifier  and  S  is  a  specification  such  that  the 

free  occurrences  of  I  in  S  have  phrase  type  0,  then  l  (V  e  i)  SI 

—  —  n 

is  true  if  and  only  if,  for  all  meanings  m  appropriate  to  0, 

>s'[n  I  i:  le  true- 


c-z 


▼ 


(5a)  If  S  is  a  statement  and  E  is  a  t  expression  or  assertion 

then  IS  it  Ej  is  true  if  and  only  if,  for  all  states  a  and  o' 

such  that  o'  occurs  in  the  sequence  J Si  (o) ,  f E]  (o')  »  ( E]  (a). 

n  n  n 

(5b)  If  V  is  a  r  variable,  E  is  a  r'  expression  or  assertion, 
and  1  is  an  Identifier  not  occurring  free  in  V  or  E  then, 
for  all  environments,  V  #  E  has  the  same  meaning  as 
(H  t  exp  I)  (V  I)  #  E. 

(5c)  If  X  is  an  n-dimensional  t  array  variable,  E  is  a  t ' 
expression  or  assertion,  and  1^,  ...  ,  1^  are  distinct  identifiers 
not  occurring  free  in  X  or  E  then,  for  all  environments,  X  //  E 
has  the  same  meaning  as 

( Vinteger  ^exp  1^)  ...  (^integer  exp  1^)  X(I^,  ...  ,  1^)  it  E 


(5d)  If  U  is  a  procedure (e^ .  9^) ,  E  is  a  i  expression 

or  assertion,  I,,  ...  ,  I  are  distinct  identifiers  that  do 
X  n 

not  occur  free  in  H  or  E,  and  6  ,  ...  ,0  are  the  statement 

*1  ik 

-like  members  of  {9,,  ...  ,  9  }  then,  for  all  environments. 
In 

H  it  E  has  the  same  meaning  as 


<Vq  q>  •••  <v«n  y 


(I  it  E  &  ...  &  I  It  E  »  H(I.  ,  ...  ,  I  )  #  E)  . 

k  1  n 
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(5e)  If  S  is  a  statement-like  phrase,  Y  is  an  n-dimensional 

t  array  expression,  and  1^ .  I  are  distinct  identifiers 

not  occurring  free  in  S  or  Y  then,  for  all  environments,  S  <*  Y 
has  the  same  meaning  as 

(V  integer  exp  1^)  ...  (\j  integer  exp  1^) 

(S  #  I,  &  ...  &  S  #  I  =»  S  0  Y (I . I  ))  . 

i  n  i  n 

(5f)  If  S  is  a  statement-like  phrase,  F  is  a  t  procedure(0, ,  ...  ,  6  ) 

1  n 

or  an  assertion  procedure(0. ,  ...  ,  0  ),  I, .  I  are  distinct 

l  n  i.  n 

identifiers  not  occurring  free  in  S  or  F,  and  0  ,  ...  ,0  are  the 

*1  ik 

expression-like  members  of  {0^,  ...  ,  0^}  then,  for  all  environments, 

S  if  F  has  the  same  meaning  as 

(Ve  t,)  ...  (tfe  i) 

ll  an 

(S  it  I.  &  ...  &  S  #  I.  -  S  #  F(I.  ,  ...  ,  I  ))  . 

H  ik  1  n 

(6)  If  V  is  a  t  variable,  and  E  and  n  are  distinct  identifiers 
that  do  not  occur  free  in  V  then,  for  all  environments,  gv(V) 
has  the  same  meaning  as 

(V  t  exp  E)  (^assertion  procedure^  exp)  II) 

(V  #  n  ■»  (n(E)}  V  :=  E  (n(v)})  . 
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Specification  logic  is  a  system  for  inferring  universal  specifications, 


which  are  specifications  that  are  true  in  all  environments.  It  includes 
both  axioms,  which  are  particular  universal  specifications,  and  rules  of 
inference.  Inferences  may  also  be  made  by  alpha  conversion  and  (forward 
or  backward)  beta  reduction,  as  in  the  lambda  calculus. 

An  inference  rule  consists  of  zero  or  more  premises  and  a  conclusion. 

An  instance  of  the  rule  is  obtained  by  replacing  metavariables,  denoted  by 
upper  case  letters,  by  appropriate  phrases,  subject  to  restrictions  that 
may  preface  the  rule.  If  all  of  the  premises  of  an  instance  are 
universal,  then  the  conclusion  of  the  instance  is  universal. 

In  the  form  5^  &  ...  &  5^  **  S,  the  specifications  on  the  left,  called 
assumptions,  are  regard  as  a  finite  set.  The  metavariable  I  is  used  for 
such  a  set,  while  S  is  used  for  a  single  specification.  E  &  E '  abbreviates 
I  u  I’,  while  I  &  5  abbreviates  E  u  {S}.  When  E  is  empty,  E  =>  S  stands  for  5. 

Phrase  types  are  classified  as  statement-like  and/or  expression-like 
as  follows: 


Phrase  Type 
t  variable 
t  expression 


t  array  variable(*,  ... 


t  array  expression!*,  . . 


c  statement 
assertion 


procedure!^ ,  ...  ,  0^) 

i  prccedure(6, ,  ...  ,  6  ) 
v** "  •  *  X  n 

assertion  procedure(8^,  . 


*) 

,  *) 


Statement-like 

X 

X 

X 

X 


Expression-like 

X 

X 

X 

X 

X 

X 

X 
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An  occurrence  in  P  of  an  identifier  is  statement-like  (expression-like)  if 


the  type  of  every  subphrase  of  P  enclosing  the  occurrence  is  statement-like 
(expression-like).  We  write  F  1  ,  (P)  (F  ...  (P))  for  the  set  of 

SC3“11K6  exp~ JL1K.C 

identifiers  having  statement-like  (expression-like)  free  occurrences  in  P. 
The  following  rules  of  inference  and  axioms  have  been  developed: 


(1)  Self-Implication 

S  -  S 

(2)  Adding  Assumptions 

I  -  S 

I  &  £'  »  S 

(3)  Separating  Assumptions 

Z  &  Z'  =*  S 
Z  *»  (E '  **  S) 

(4)  Combining  Assumptions 

!*»(£•*  5) 

m' =*s 

(5)  Modus  Ponens 


Z  S.  S1  4  ...  &  Sn  «  5 
z  (.  Z1S.  ...  &  En  ■*  S 
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m 


(6)  Quantifier  Introduction 

If  I  is  an  identifier  of  phrase  type  8  that  does  not  occur 
free  in  Z  then 

Z  -»  S 

z  =»  (tfe  i)  s  . 

(7)  Quantifier  Removal 

If  V  ...  ,  In  are  distinct  identifiers  of  phrase  types 
8  ,  ...  and  Aj,  . ..  ,  Ar  are  phrases  of  types  0^,  ... 
then 


(Ve.  i  )  ...  (Ve  i  )  s  -  sj 

1  i.  nn  ^2  *  ' 


v 


(8)  Free  Substitution 


If  S| 


I  ,  ...  ,  I  _  "*■  A.  . 


I* . n  1 ' 

substitution,  then 

S 


1 1  ’  ’  *n  Al’  • 


A 

n 


is  a  type-correct 


A  ’ 
n 


(9)  .''•thematical  Fact  Introduction 

If  P  is  an  assertion  that  is  a  mathematical  fact  then 


{P>  . 

(10)  Reductio  ad  Absurdum 
{false}  **  S  . 


(11)  Static  Implication 

If  P  and  Q  are  assertions  then 


(12)  Statement  Compounding  (Axiom) 


(p)  (q)  &  (q)  s2  {r}  **  {p>  Sjj  s2  (rj 

(13)  Strengthening  Precedent  (Axiom) 

{p  implies  q}  &  {q}  s  {r}  ■*  {p}  s  {r} 


f. 

(14)  Weakening  Consequent  (Axiom) 


(22)  Right-Side  Noninterference  Decomposition 

If  S  is  a  statement-like  phrase,  E  is  an  expression-like 

phrase,  and  F  (E)  =  {I,,  ...  ,  I  },  then 

exp- like  1  n 

S  //  I,  &  ...  &  S  «  I  ■*  S  #  E  . 

1  n 

(23)  Constancy  (Axiom) 

s  it  p  &  (q>  s  ( r}  “*■  {q  and  p)  s  {r  and  p}  . 

(24)  Simple  Assignment 

Let  X  be  a  t  variable  identifier,  E  bd  a  t  expression,  and  P 
be  an  assertion  such  that  all  free  occurrences  of  X  in  P  have 
type  r  expression.  Let  {1^  • ••  ,  In>  =  f:eXp_11ice<p)  " 

Then 

gv(X)  &  X  #  I.  &  ...  X  it  I  (P I v  ,,}  X  :=*  E  {P}  . 
m--  1  n  A  fc. 

(25)  Simple  Variable  Declarations 

If  X  is  a  t  variable  identifier,  P  and  Q  are  assertions, 

E, ,  ...  ,  E  are  expression-like  phrases,  S, ,  ...  ,  S  are 
Am  in 

statement-like  phrases,  and  X  does  not  occur  free  in  Z,  P,  Q, 

E, ,  ...  ,  E  ,  S, ,  ...  .  S  ,  then 
1  m  l  n 

l  &  gy(X)  &  X  0  E1  &  ...  &  X#Em&S1#X  &  ...  &  Sn  //  X  *  (P)  B  {Q} 
Z  ■*  {P}  begin  t  X;  B  end  {Q}  . 
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(26)  Proper  Procedure  Declarations 
Suppose 


F^,  ...  ,  F^,  G^,  ...  ,  G^,  H  are  distinct  Identifiers  of  phrase 

types  ...  ,  0n,  0’ . 0^,  procedure (e  .  ...  ,  6^, 

B  ,  B  are  statements, 
proc 

P  ,  Q  ,  P,  Q  are  assertions, 
proc  proc  * 

E,  E',  E  are  finite  sets  of  specifications, 
pa 

such  that 


E'  £  E, 

F^,  ...  ,  F^  do  not  occur  free  in  E', 

G. ,  ...  ,  G.  do  not  occur  free  in  B  or  E', 

1  k  proc 


H  does  not  occur  free  in  P  ,  Q  ,P,  Q,  E,  E'.orE 

proc  proc  ’  ’  pa 


Let  E  be 
proc 


<yw  •••  <Ve„Fn)(V8;v  •••  (Vw 

(£p,  *  'Voc1  H<F1 . V  {Voc» 

&  ( V  exp-  like  E)  (11  #  E  i  . . .  4  IB  #  E  H  #  E)  , 


where  {1^ . 1^} 


F  ...  (B 

sta-like  proc 


)  -  {F, ,  ...  ,  F  ,  H) 
1  n 


and  E 


is  some  identifier  that  is  distinct  from  I.,  ...  ,  I  and  H.  Then 

1  m 


E'  &  E  &  E  ®  {P  }  B  {Q  } 
pa  proc  proc  proc  proc 

E  &  E  •  (Pi  B  {Q} 

_ proc _  _ 

E  =»  {P}  begin  procedure  H(6,F, ;  ...  ;  8  F  );  B  ;  B  end  {Q}  . 

w>—  »■« in  »>  •  11  n  n  proc  » a— 


(27)  Simple  Assignment  (Axiom) 

gv(x)  &  x  I  it  **  (n(e) }  x  :=  e  (n(x)}  . 

(28)  Good  Variables  (Axiom) 

(Vt  exp  e)  (V  assertion  procedure (x  exp)  ir) 

(x  It  n  ■*  {n(e)}  x  :=  e  { tt (x) } ) 

•  gv(x)  . 

(29)  Nonrecursive  Proper  Procedure  Declarations  (Axiom) 
tp}  o(m)  {q}  =» 

{p> 

p^cedure  h(6^f^;  ...  ;  S^f^) ;  m(f^» 

o  (h) 
end 
{q}  . 


(30)  Array  Assignment 

Let  X  be  an  identifier  of  type  1  array  variable(*),  S  be 

an  integer  expression,  E  be  a  t  expression,  and  P  be  an 

assertion  such  chat  all  free  occurrences  of  X  in  P  have 

type  t  array  expression^) .  Let  {1  ,  ...  ,  I  )  = 

F  ...  (P)  -  (X).  Then 
exp-like 


*<*>  "  4  •••  ‘  x<s>  11  >„  *  ,pix  ■  1  x | s | r: I 


X(S) 


(31)  Good  Array  Designators  (Axiom) 
x ( s )  &  s  *  ^v(x(s)) 


C-ll 


(32)  Array  Element  Noninterference  (Axiom) 
(s  i  t}  &  x(s)  it  t  -  x(s)  it  x(t)  . 

(33)  Array  Segment  Noninterference  (Axiom) 
{3  i  v}  &  x(s)  it  v  ■*  x(s)  it  x"]v  . 


(34)  Array  Declarations 

If  X  is  a  t  array  variable (*)  identifier,  P  and  Q  are  assertions, 

L  and  U  are  Integer  expressions,  E  ,  ...  ,  E  are  expression-like 

i.  m 

phrases,  S^,  ...  »  sn  are  statement-like  phrases,  and  X  does 

not  occur  free  in  £,  P,  Q,  L,  U,  E  ,  ...  ,  E  ,  S  ,  ...  ,  S  , 

1  xn  1  n 

then: 


E  &  X  //  E.  &  ...  4  X  #  E  4  S.  #X  &  ...  S  #X 
1  mi  n 

**  {P  and  dom  X  -  1l  uj  }  B  (Q) 


£  {P>  begin  t  array  X  (L::U);  B  gnd  {Q>  . 


(35)  Domain  Constancy  (Axiom) 
s  it  dom  x  , 
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1.  Introduction 

The  use  of  assertions  to  describe  programs  and  prove 
their  correctness  [4-6]  has  developed  to  the  point  where 
the  necessary  assertions  are  often  at  least  as  lengthy  and 
difficult  to  comprehend  as  the  program  which  they  de¬ 
scribe.  A  major  cause  is  the  use  of  languages  and  proof 
methods— typically  the  first-order  predicate  calculus 
which  are  taken  from  classical  logic  and  are  not  oriented 
towards  programming. 

Perhaps  the  most  glaring  example  of  these  difficulties 
is  the  use  of  arrays.  One  need  only  compare  the  assertions 
needed  to  describe  a  program  such  as  log  n  exponen¬ 
tiation.  which  does  not  involve  arrays  or  other  compound 
data  structures,  with  the  assertions  for  a  program  such  as 
binary  search,  which  is  intuitively  no  more  complex,  but 
uses  arrays.  In  the  first  case,  the  assertions  are  clear  and 
concise,  and  reasoning  about  them  involves  only  the 

Permission  lo  copy  without  fee  ill  or  p«rt  of  this  material  is 
granted  provided  that  the  copies  are  not  made  or  distributed  for  direct 
commercial  advantage,  the  ACM  copyright  notice  and  the  title  of  the 
publication  and  us  date  appear,  and  notice  is  given  that  copying  i'  by 
permission  of  the  Association  for  Computing  Machinery  To  copy 
otherwise,  or  to  republish,  requires  a  fee  and/or  specific  permission 

Work  supported  by  National  Science  Foundation  Grant  MI'S  7S. 
22002  and  Rome  Air  Force  Development  Center  Contract  F30t>02-77. 
C-0235. 

Author's  address  School  of  Computer  and  Information  Science. 
Syracuse  University  313  Link  Hall.  Syracuse  NY  13210 
©  IV79  ACM  000 1  -07X2/79/0500-0290  $00  7* 


familiar  law  of  elementary  algebra.  But  when  arrays  are 
introduced,  the  assertions  become  lengthy  and  filled  with 
quantifiers,  and  their  manipulation  seems  only  tenuously 
connected  with  the  programmer's  intuition. 

Superficially,  we  neeo  a  'rettr.t  n'  ution  for  assertions 
about  arrays.  But  more  '  ndamenially.  we  need  concepts 
and  laws  which  are  nc  only  correct  but  also  reflect  our 
intuitive  understanding  of  arrays,  just  as  the  concepts  of 
addition  and  multiplication,  and  the  associative,  com¬ 
mutative.  and  distributive  laws  reflect  our  intuitive  un¬ 
derstanding  of  numbers.  Once  the  right  concepts  and 
laws  have  been  found,  it  is  comparatively  trivial  to  design 
a  notation  which  facilitates  their  application 

This  paper  presents  a  variety  of  concepts,  laws,  and 
notations  for  reasoning  about  arrays  some  borrowed 
from  mathematics  and  others  original  which  we  believe 
meet  the  above  criteria  Their  utility  will  be  demon¬ 
strated  both  by  informal  descriptions  of  program  behav¬ 
ior  and  by  a  short  formal  proof  of  program  correctness 

The  consideration  of  both  informal  and  formal  proofs 
reflects  our  belief  that  the  relationship  between  the  two 
is  a  critical  issue  in  program  proving  Ideallv.  an  informal 
description  of  "why  a  program  works"  should  provide 
enough  information  that  an  intelligent  reader  could  pro¬ 
duce  a  formal  correctness  proof  bv  tilling  in  details, 
without  anv  significant  invention  or  change  of  concepts 

As  an  illustrative  programming  language,  we  w  ill  use 
Algol  fill  with  the  following  changes 

(1)  while  statements. 

(2)  Round  rather  than  square  brackets  lor  array 
subscripts  (to  emphasize  the  view  that  array  values  are 
functions). 

(3)  Integer  expressions  of  the  form  lower  ,V  and 
upper  X.  denoting  the  minimum  and  maximum  sub¬ 
scripts  of  a  one-dimensional  array  .V 

(4)  Empty  arrays,  obtained  by  permitting  array  dec¬ 
larations  in  which  a  lower  subscript  bound  is  larger  than 
the  corresponding  upper  hound 

We  have  purposely  stayed  close  to  Algol  to  jvotd 
inadvertently  choosing  a  programming  language  which 
hid  the  delects  of  our  assertion  language  In  particular, 
we  have  refrained  from  introducing  our  notation  for 
assertions  into  the  programming  language  itself  (except 
for  lower  and  upper,  which  were  irresistibly  attractive i 
Moving  in  this  direction  seems  to  lead  to  a  verv  high- 
level  language,  closer  to  API.  than  to  Algol,  which  is 
outside  the  scope  ol  this  paper 

On  the  other  hand,  even  the  choice  of  Algol  has  had 
subtle  effects  on  the  ensuing  development  I  or  ev.imple 
switching  to  a  programming  language  with  the  novel 
approach  to  arrays  described  in  |  V  C  h  1 1 1  would  neces 
sitale  minor  changes  to  ntanv  concepts,  such  as  .than 
doning  the  uniqueness  of  the  array  value  with  an  emptv 
domain. 

To  an  even  greater  extent  than  is  indicated  hv  the 
explicit  references,  this  work  is  built  upon  the  ideas  of 
C  A  R  lloare  |7  ^1  Mention  should  also  be  made  ol 
distinct  but  related  work  on  arravs  by  1)  (  (  ooper  |2| 
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and  of  work  by  R.  BurstaU  (I]  which,  roughly  speaking, 
does  for  lists  what  we  are  trying  to  do  for  arrays. 


2.  Interval  and  Partition  Diagrams 

Before  considering  arrays  themselves,  we  introduce 
some  diagrammatic  expressions  for  making  assertions 
about  subscripts.  Basically,  these  expressions  are  a  for¬ 
malization  of  the  diagrams  which  are  traditionally  drawn 
by  programmers  when  describing  arrays. 

For  example,  in  describing  the  program  for  binary 
search  to  be  developed  in  Section  S,  one  might  draw 

*r~i  ii 

a  b 

to  assert  a  relationship  between  the  integer  variables  a 
and  b  and  the  domain  of  permissible  subscripts  of  the 
array  X.  We  will  regard  this  diagram  as  an  assertion  that 
the  subscript  domain  is  partitioned  into  three  subsets: 
{i|lower  X  £  i  <  a).  {/|zr  s  /  £  b).  and  {i|h  <  i £  upper 

X). 

Of  course,  an  equivalent  assertion  can  be  given  in  the 
predicate  calculus,  but  this  sacrifices  the  intuitive  content 
of  the  diagram.  (For  example,  the  above  assertion  is 
equivalent  to  lower  X  -  1  £  a  -  I  <fc<  upper  X  or 
lower  X  —  l  >  a  —  1  >(i>  upper  X.)  A  better  approach 
is  to  formalize  and  give  rigorous  meaning  to  the  diagram 
itself.  The  only  change  we  will  make  is  to  place  expres¬ 
sions  such  as  a  and  b  within,  rather  than  below,  the 
relevant  boxes  In  addition  to  making  the  notation  more 
nearly  linear,  this  curtails  the  tendency  of  such  expres¬ 
sions  to  migrate  across  boundaries  when  written  hastily 

Before  defining  such  partition  diagrams,  however,  we 
must  introduce  the  simpler  concept  of  an  interval  dia¬ 
gram.  An  interval  is  a  finite  consecutive  set  of  integers.  It 
a  and  b  are  expressions  denoting  integers,  then  a\  7T]. 
called  an  interval  diagram,  is  an  expression  denoting  the 
interval 

a\  />(  *  (i|a  <  i  £  b). 

When  formulating  general  properties  of  interval  dia¬ 
grams  (or  partition  diagrams)  we  will  always  use  the 
standard  form  a\  h|.  But  when  using  the  diagrams 
to  make  assertions,  we  will  permit  more  flexibility.  Spe¬ 
cifically,  at  either  end  of  an  interval  diagram.  |  a  may  be 
written  instead  of  a  -  1 1.  Also,  ja]  may  be  written  as  an 
abbreviation  for  \a  a\.  Thus  I  a  hi  -  (i|«  £  i  £ 

b }.  | a  \b  -  {i|a  £  i  <  h),  a|  |h  *=  (i|a  <  i 
<  b).  and  [a]  -  {a}. 

For  any  finite  set  5,  we  write  9S  to  denote  the  size, 
or  number  of  elements  in  S.  Thus 

S  a[  b\  -  Ifh  -  a  2  0  then  b  -  a  else  0.  (2.1) 

This  use  of  a  conditional  expression  to  describe  a  fun¬ 
damental  property  of  a  data  structure  is  a  clear  symptom 


of  a  potential  source  of  error,  i.c.  the  possibility  that  a 
program  may  be  correct  for  one  case  of  the  conditional 
but  not  the  other.  To  emphasize  this  situation,  we  say 
that  the  interval  a\  f>|  is  regular  when  h  -  a  a  0.  or 
irregular  when  b  -  a  <  0.  It  is  evident  that  a  nonempty 
interval  is  always  regular,  but  the  empty  interval  can  be 
either  regular  or  irregular.  (This  is  a  slight  abuse  of 
language;  it  is  really  the  interval  diagram,  rather  than 
the  interval  itself,  which  is  regular  or  irregular.) 

Partition  diagrams  are  concatenations  of  interval  dia¬ 
grams  which  assert  that  the  corresponding  intervals  form 

a  partition.  More  precisely,  if  a,,.  a, . a„  are  expressions 

denoting  integers,  then: 

(a)  fln|  a 1 1  ...  a„  i|  a„|  is  called  a  partition 

diagram.  _ 

(b)  Dof  oil . i|  a«|.  i.e.  the  intervals  de¬ 

noted  by  diagrams  obtained  by  eliminating  all  but  an 
adjacent  pair  of  lines,  are  called  the  component  intervals 
of  the  partition  diagram. 

(c)  u..|  u^].  i.e.  the  interval  denoted  by  the  dia¬ 

gram  obtained  by  eliminating  interior  lines,  is  called  the 
total  interval  of  the  partition  diagram 

(d)  The  partition  diagram  is  a  logical  expression 
which  is  true  iff  the  component  intervals  are  a  partition 
of  the  total  interval,  i.e.  iff  the  component  intervals  are 
disjoint  and  their  union  is  the  total  interval 

As  with  interval  diagrams. _ |u  __  mav  be 

written  in  place  of _ £_T"J _ .  and 

_  [J] _ in  place  of _ fa  ~aj _ 

Thus  for  example.  | a  |7>[  j]  is  a  partition  dia¬ 
gram  w  hich  is  true  iff  the  component  intervals  ~~]b 
=  {i|«  £  i  <  h).  [b]  *  {/>).  and  /)£  _TJ  =  {i\h  <  i  £ 
i  I  arc  disjoint  and  their  union  is  the  total  interval  [<i  i] 
=  fljrj  £  I  £  (  ) 

The  nature  of  partitions  implies  that  the  si/e  of  the 
total  inteival  is  the  sum  of  the  sues  of  the  component 
intervals. 

o..|  «i|  «„  1 1  tf-T]  implies 

s  -C-jS  =  i  5  u'  <L  si 

As  shown  in  the  Appendix,  (2  2)  implies  the  following 
tund.inicnt.il  piopcrty  of  partition  diagrams. 

«.i|  t>i|  a„  7|  o.H  iff  either 

<»i,  <  fit  £  ...  £  u„  t  £  a„  or  ( 2 . A ) 

ti„  >ui>  ..  >ti,  ii  a„. 


Note  that  the  first  inequality  asserts  that  every  compo¬ 
nent  inteival  is  regular,  while  the  second  inequalitv 
asserts  that  every  component  interval  is  emptv 

From  (2  3).  the  following  simple  cases  are  obvious. 

a{  b\  is  always  true.  (2.4) 


[ol  bj  ill  [r^  _  ]b]  it)  a  r  b  ill 


[a  hj  is  nonemptv 


(2  5) 
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la  |6l  c|  iffaSbSciffbe  la  c|.  (2.6) 

By  (2.4),  partition  without  interior  tinea  are 

tautologies,  so  that  in  practice  such  diagram*  will  not 
occur  in  assertions.  This  circumvents  the  problem  that 
such  diagrams  can  only  be  distinguished  from  interval 
diagrams  by  their  context. 

More  interestingly,  one  can  easily  derive  several  "dia- 
grammatically  natural”  rules  of  inference.  (Here  “line" 
refers  to  any  vertical  line  in  a  diagram,  including  its 
associated  expression.) 

Erasure.  From  a  partition  diagram  one  can  infer  any 
diagram  obtained  by  deleting  a  line,  i.e. 

Z  ”  I  ol _ implies _ .  (2.7) 

Adjacent  Duplication.  From  a  partition  diagram  one 
can  infer  any  diagram  obtained  by  replicating  a  line  next 
to  itself,  i.e. 


_ _ implies 


-  (2.8) 


Substitution.  From  two  partition  diagrams  such  that 
the  end  lines  of  the  first  match  some  pair  of  adjacent 
lines  in  the  second,  one  can  infer  the  diagram  obtained 
by  substituting  the  first  diagram  for  the  adjacent  lines  in 
the  second: 

a|  6i|  ...  6t|  c\  and 

_ a|  f|~ _ implies  (2  9) 

_  ~  ~  al  fci|  ...  6*1  cV~:~. 

It  should  be  emphasized  that  (2.4)  to  (2.9)  are  useful, 
but  not  .  complete  rules,  i.e.  they  cannot  completely  re¬ 
place  (2.2),  (2.3),  or  the  definition  of  partition  diagrams. 
The  use  of  these  rules  is  illustrated  by  the  following 
inferences,  which  will  be  pertinent  to  the  binary  search 
example  to  be  given  in  Section  5: 

(a)  For  any  integers  /  and  u,  (2.4)  and  (2.8)  show 

that  [/  |/  u|  u|  holds. 

(b)  Suppose  !/  la  b\  u|  and  a  £y  £  (>. 


(b)  Suppose  1/  la  fej  u|  and  a  £y  £  b. 
Then  by  (2.6)  and  (2.9), 

1/  I a~  I /I  b\  ~u|  holds.  In  turn,  by 
(2.7),  this  implies 

If  L/l  “1-  If  Iv  +  1  *1  «l. 

and  |/  | a  /  —  1 1  u|. 

In  conclusion,  it  should  be  noted  that  the  definitions 
of  interval  and  partition  diagrams  have  been  motivated 
by  a  definite  attitude  towards  empty  and  irregular  inter¬ 
vals,  and  towards  arrays  with  such  intervals  as  their 
domain  of  subscripts.  Although  there  are  exceptions, 
such  as  finding  the  subscript  of  a  maximum  element, 
most  array-manipulating  algorithms  can  be  extended 
without  complication  to  handle  the  empty  array.  In  the 
author's  opinion,  it  is  invariably  good  practice  to  do  so. 
and  the  linguistic  prohibition  of  empty  arrays  (as  in 
Algol  60)  is  a  design  mistake— akin  to  prohibiting  for 
statements  which  execute  their  bodies  zero  times 


However,  one  could  permit  intervals  to  be  empty 
without  permitting  their  irregular  representation  by  re¬ 
garding  o|  b[  as  well-defined  when  a  •  b.  but 
undefined  when  a>  b.  Our  decision  to  permit  irregular 
representations  has  several  motivations: 

(1)  Undefined  expressions  are  a  potential  source  of 
confusion. 

(2)  If  for  i :*■  a  until  b  do  s  is  regarded  as  iterating 
over  the  interval  \a  6)  (as  in  (8|),  then  most 
Algol-based  languages  permit  |a  6|  to  be  irregular  in 
this  context. 

(3)  The  author  has  never  encountered  an  array-ma¬ 
nipulating  algorithm  which  handles  the  empty  array  yet 
cannot  be  extended  without  complication  to  handle  ir¬ 
regular  subscript  domains. 

A  potential  counterargument  is  that  even  though  an 
algorithm  may  extend  smoothly  to  the  irregular  case,  its 
proof  of  correctness  may  require  extra  case  analysis.  But 
in  the  author’s  experience,  this  case  analysis  can  be 
avoided  by  using  partition  diagrams  instead  of  inequal¬ 
ities  -  basically  this  avoids  the  or  lurking  in  Proposition 
(2.3). 

Nevertheless,  a  consistent  case  can  be  made  for  avoid¬ 
ing  irregular  intervals.  F.L.  Morris  has  explored  the  use 
of  interval  and  partition  diagrams  in  this  context.  His 
basic  approach  is  to  regard  any  occurrence  of  an  interval 
diagram  a|  b\  within  an  assertion  as  having  the 
“side  effect”  of  asserting  a  £  b.  Then  the  partition 
diagram  an|  a,  1  ...  a„ |  is  defined  to  mean  Oo  £  a, 

£  ...  £  a„,  which  implies  both  that  the  component 
intervals  are  well-defined  and  that  they  form  a  partition 
of  the  total  interval.  In  this  approach.  Propositions  (2.2) 
and  (2.4)  to  (2.9)  remain  true. 

3.  Functions  as  Array  Values 

There  are  two  quite  different  concepts  of  an  array 
The  more  traditional  view  is  that  an  array  of,  say,  real 
numbers  is  a  function  from  subscripts  into  variables, 
which  in  turn  possess  real  values.  The  more  recent  view, 
expounded  by  Hoare  [7,  9]  and  Dijkstra  [3],  is  that  an 
array  of  real  numbers  is  a  variable  whose  value  is  a 
function  from  subscripts  into  real  numbers.  In  this  paper, 
we  take  the  latter  view.  The  effect  is  to  banish  the 
possibility  of  “sharing”  or  “aliasing”  among  array  ele¬ 
ments,  which  would  greatly  complicate  the  problems  of 
proving  program  correctness 

Specifically,  we  assume  that  an  array  declared  by 
r  array  X(a.b)  is  a  variable  whose  values  range  ever  the 
set  of  functions  from  the  interval  [a  ft|  into  the  set 

T. 

We  write  (  >  to  denote  the  unique  function  whose 
domain  is  the  empty  set  (  ).  For  any  function  X.  we 
write  4om  X  for  the  domain  of  X.  and  when  this  domain 
is  an  interval,  lower  X  and  upper  X  for  the  integers  such 
that  dotn  X  -  1  tower  X  upper  This  definition  of 
lower  X  and  upper  X  is  intentionally  incomplete  for  the 
case  where  X  -  (  ).  We  assume  that  there  are  integers 
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lo  and  wo  such  that  lower  <  )  -  fc,  upper  <)«•«>,  and 
A)  >  uo>  but  we  leave  these  integers  unspecified  to  avoid 
making  arguments  which  might  depend  upon  their  ar¬ 
bitrary  values. 

When  S  £  does  X,  we  write  X 1 S,  called  the  restriction 
of  X  to  5,  to  denote  the  function  such  that 

4oa(X  IS)  —  5  (3.1) 

(V«  €  S)  (X  1  5X0  -  m  (3.2) 

(Usually,  but  not  necessarily,  S  will  be  an  interval.)  This 
concept,  which  mirrors  the  informal  idea  of  (the  value 
of)  a  subarray  or  segment  of  an  array,  satisfies 

If  S'  £  S  £  dom  X  then  (X  1  S)  1  S'  -  *  \  S'  (3.3) 
X  1  {  )  -  <  ).  (3.4) 

As  an  example,  consider  the  program 
begin  Integer  i;  integer  array  Squares^- 5:5); 
integer  array  Possquares{ 0:5); 
integer  array  Nosquares(  14:5); 
for » -5  until  5  do  Squared ) i  x  /; 
for  i  :■  0  until  5  do  Passquares(i) :«  i  x  i: 

end 

At  the  program  point  indicated  by  the  ellipsis,  the  fol¬ 
lowing  assertions  will  hold: 

dom  Squares  «  |-5  5| 

lower  Squares  «  —  5 

upper  Squares  «*  5 

(Vi  G  |— 5  5| )  Squaresii)  =  i  X  i 

Possquares  =  Squares  ]  |0  S| 

Nosquares  =  Squares  ){}*=(  > 
lower  Nosquares  >  upper  Nosquares. 

The  expressions  lower  X  and  upper  X  occur  so  fre¬ 
quently  in  interval  and  partition  diagrams  that  it  is  useful 
to  adopt  conventions  for  eliding  them.  We  will  permit 
the  name  of  a  function  X  to  be  attached  as  a  label  to  an 
interval  or  partition  diagram.  In  the  presence  of  such  a 
label,  lower  X  may  be  omitted  from  the  right  of  the 
leftmost  line  of  the  diagram,  and  upper  X  may  be  omitted 
from  the  left  of  the  rightmost  line.  For  Example,  X: 

■  |a  7>|  |  stands  for  |lower  X  | a  b\  upper  X|. 

X :  |k|  |  stands  for  l<c[  upper  X|.  and  X:  |  | 

stands  for  dom  X.  Moreover,  when  an  interval  diagram 
is  used  to  restrict  a  function  X,  the  label  X:  can  also  be 
elided.  For  example,  X  1  |  a|  stands  for  X  ) 

| lower  X  a]. 

For  a  function  X,  we  write  (X),  called  the  image  of 
X.  to  denote  the  set  {X(/)|/  6  dom  X)  of  values  obtained 
by  applying  X  to  members  of  its  domain.  (On  the  other 
hand,  when  x  is  not  a  function,  (or)  will  denote  the 
singleton  set  containing  x.)  Thus  for  example. 

{ Possquares }  **  (0,  1.  4,  9,  16,  25) 

( Possquares  \  11  3])  -  {1,  4,  9) 

( Squares  1  (-2  2|)  =  {0,  1,  4). 


It  is  easily  seen  that  images  possess  the  following  prop¬ 


erties: 

S  £  dom  X  implies  {X  1  S)  £  (X)  (3.5) 

«  »  -  {  )  (3.6) 

S  U  S'  dom  X  implies  ^ 

(X)  -  {X  1  S)  U  {X  1  S') 

{X  1  □)  -  (X(i)}  (3.8) 

#{X}<#domX  when  dom  Xis  finite  (3.9) 


4.  Operations  on  Relations 

There  are  several  operations  on  relations  which  can 
often  be  used  to  reduce  the  number  of  quantifiers  in 

assertions. 

Suppose  p  is  a  binary  relation  between  two  sets  U 
and  U'.  Then  p*.  called  the  pointwise  extension  of  p.  is 
the  binary  relation  between  the  set  of  subsets  of  U  and 
the  set  of  subsets  of  U',  such  that  X  p*  S'  holds  if  and 
only  if  x  p  x'  holds  for  all  x  in  S  and  all  x'  in  S'. 

When  U  and  U'  are  both  the  set  of  integers,  p  could 
be  any  of  the  relational  operators  of  Algol  For  example. 
(2,  3}  (3.  4)  and  (2.  3)  A*  (4.  5}  are  both  true,  while 

{2.  3)  <*  (3.  4).  {2.  3)  =•  {2.  3).  and  (2.  3)  **  (2.  3) 
arc  all  false  The  last  two  examples  demonstrate  that 
#*  is  not  the  negation  of  ■=*  (and  thereby  show  the 
importance  of  making  *  explicit). 

The  pointwise  extension  of  any  relation  satisfies  the 


following  laws: 

(5  p*  S'  &  7'C  S)  implies  T p*  S' 

(4  la) 

(S  p*  S'  &  T'  C  S')  implies  S  p*  T' 

(4.1b) 

l  )  f>*  S' 

(4  2a) 

•Vp*  (  1 

(4.2b) 

(SU  7  )  p*  S  III  (Sp *  S'  &  Tp *  S') 

(4.3a) 

S  P*  (S'  U  7  )  Ilf  (S  p*  S'  &  S  p*  T') 

(4.3b) 

(x)  p*  |  x  )  iff  X  p  x'. 

(4.4) 

Occasionally,  one  needs  the  pointwise  extension  of  a 
relation  with  regard  to  only  a  single  argument.  The 
simplest  way  of  encompassing  this  case  is  to  regard 
x  p*  S'  as  an  abbreviation  for  (x)  p*  S'  and  S  p*  x'  as 
an  abbreviation  for  .5  p*  {x'). 

Another  concept  involving  relations,  somewhat  more 
specialized  than  pointwise  extension,  is  ordering  The 
usual  idea  of  an  ordered  array  can  be  generalized  to  an 
arbitrary  relation  in  a  way  which  unifies  several  impor¬ 
tant  cases  Let  X  be  a  function  whose  domain  is  a  set  of 
integers,  and  let  p  be  a  binary  relation  appropriate  to  the 
type  of  result  of  X.  Then  X  is  ordered  with  regard  to  p. 
written  ord,  X.  if  and  only  if.  for  all  i  and  j  in  the  domain 
of  X,  i  <  j  implies  X(i)  p  X(  j). 

The  following  "orderings"  appear  as  specific  cases: 
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ori*  X\  increasing  order 
oid<  X:  strict  increasing  order 
ord*  X:  decreasing  order 
ord*  X:  strict  decreasing  order 
ord.  X:  all  elements  equal 
ord.  X:  all  elements  distinct 

Moreover,  the  generalization  satisfies  the  following  es¬ 
sential  laws  of  ordering: 

ord,  X  &  S  £  dom  X  implies  ord,(Af  1  S)  (4.5) 
#  dom  X  £  1  implies  ord,  X  (4.6) 

If  S  U  7  -  dom  X  &  S  <•  7  then 

(ord,  X  iff  (ord,(Af  1  S)  &  ord,**  1  7)  (4.7) 

&  (AT  IS}  p*  (X  ]  7})). 

An  important  special  case  of  (4.7)  is  obtained  by  taking 
S  and  7  to  be  two  components  of  a  partition: 

If  X:  |  k\  1  then 

(ordp  X  iff  (ord,(Y  1  f  A-j)  (4  R) 

&onUAM*l  1) 

&  (AM  I  k\)P •  (AT  1  Al  1})). 

For  particular  relations  p,  there  will  be  additional 
significant  laws  about  p*  and  ord,.  Although  we  cannot 
approach  completeness  in  this  area,  the  following  laws 
are  relevant  to  the  examples  we  will  give: 

If  x  p  y  implies  x  p  y  for  all  x  and  v.  then  S  p* 

7  implies  S  p'*  7  for  all  S  and  7,  and  ord„  (4  9) 

X  implies  ord,  X  for  all  A" 

If  x  p  y  and  y  p'  z  implies  x  p"  z  for  all  x,  i. 

and  z,  then  S  p*  y  and  y  p'*  T  implies  S  (4. 10) 
p"  *  7  for  all  S,  v,  and  7. 

If  jx  p  ,x  for  all  x,  and  if  dom  AT  is  a  nonempty 

interval,  then  ord,  X  implies  AXIower  X)  p*  (4.11) 
(AC)  and  {Af}  p*  AXupper  AT). 

5.  Binary  Search 

We  have  now  introduced  enough  of  our  notation  to 
demonstrate  its  use  in  describing— precisely  yet  intelli¬ 
gibly— why  a  program  works.  As  an  example,  we  de¬ 
scribe  an  algorithm  for  binary  search. 

Given  an  ordered  array  X  and  a  test  value  v,  the 
program  should  set  the  boolean  variable/oiW  to  indicate 
whether  any  element  of  X  is  equal  to  v.  If  found  is  true, 
then  the  integer  variable  j  should  be  set  to  a  subscript  of 
X  such  that  X(  j)  =  y.  More  precisely,  if  ord,  -Y.  then 
executing  the  program  should  achieve  the  goal 

If  found  then  X:  [  1/1  j  &  X(J)  -  v  else 

{X)fy. 

Throughout  program  execution,  found  will  only  be 
set  to  true  if  X:  |  |  j\  |  &  X(j)  -  y  is  achieved.  On 

the  other  hand,  when  found  is  false,  it  will  not  be  known 
that  y  occurs  nowhere  in  X,  but  only  that  it  does  not 


occur  in  either  of  two  segments  at  the  left  and  right  ends 
of  X.  If  we  use  the  local  variables  a  and  b  to  delineate 
these  segments,  we  have  the  invariant: 

if  found  then  X:  |  1  /[  |  A  X(  j)  -  y  ebe 

*1  ~fr  ~*>1  |  A  (AM 

A(AM6|  |)*»  y. 

On  the  one  hand,  this  invariant  can  be  achieved 
initially  by  setting  found  to  false  and  making  the  end 
segments  of  X  empty.  On  the  other  hand,  it  is  easy  to  see 
that  the  invariant  implies  the  goal  of  the  program  if 
either  found  is  true  or  [a  h(  is  empty.  This  is  obvious 
if  found  is  true,  while  if  found  is  false  and  ]a  b\  is 
empty  then  the  partition  diagram  X:  |  \a  h|  j 
implies  dom  X  =  |  |a  U  6|  ],  so  that  (Af }  1  ]a) 

»**>•&  { X  ]  6|  1)  y  implies  (Y)  y.  Thus, 

since  the  emptiness  of  | a  6|  can  be  tested  by  a  >  b. 

our  program  has  the  form: 
begin  integer  a.  b . 

a  -  lower  X.  h  ~  upper  X.  found  *  false, 
while  (  found  or  a  >  h)  do 

end 

When  execuiion  of  the  body  of  the  while  statement 
begins,  both  the  invariant  and  the  while  test  will  be  true 
Since  ja  />[  will  be  nonempty,  we  can  perform  an 
operation  “Pick  j"  (whose  details  will  he  considered 
later)  which  sets  j  to  some  integer  in  fa  fe[  At  this 
stage,  we  will  have 

*  □_!* _ llL  *1.  ...J 

&  <  X  1  dJal  y&  ( X  ]  b\  ll  v. 

and  we  can  compare  Y(  j)  with  y.  There  are  three  cases: 

(1)  If  X(j)  =  v.  the  invariant  will  be  preserved  if 
found  is  set  to  true. 

(2)  If  X(j)  < y.  then  ord.  ,Y  insures  that  { X  \  |  ]\  1 

v.  Thus  { X  1  f  | a}  y  will  be  preserved  tf  a  is 

set  to  j  +  1 . 

(3)  If  X( j)  >  y,  then  a  similar  argument  justifies 
setting  bio  J  -  1 

The  following  is  a  more  detailed  justification  of  Case 
(2):  From  (4.5)  and  (4. 1 1 ).  ord.  X  and  the  nonempttness 
of  .Y:  [  j\  imply  {X  ]  \  j\  I  £*  A \j).  Along  with 
,Y(  j)  <  v.  this  implies  { X  }  [  j\ }  <*  v  by  (4. 10).  and 
|  Y  }  [  f]\)  **  r  by  (49)  (In  a  more  formal  presen¬ 

tation.  ord.  X  would  occur  in  all  assertions,  reflecting  the 
obvious  fact  that  the  program  does  not  change  the  array 
V  ) 

1  hus  our  program  is: 

begin  Integer  a,  b. 

a  ■  lower  X.  b  —  upper  X.Jound  -  f»He; 
while  ( jound  or  a  >  b)  do 

begin 

•Tick  f. 

If  Xi  f)  «  i  then  fitund  -  tnie  else 
If  Vf ))  <  \  then  a  -  /  ♦  I  et*e  b  «  j  -  I 
end 
end 
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(6.3) 


Termination  is  guaranteed  by  the  fact  that  each 
iteration  either  sets  found  to  true,  which  immediately 
stops  further  iterations,  or  else  decreases  the  size  of 
I  a  M.  whose  emptiness  will  cause  termination. 
The  absence  of  subscript  errors  is  guaranteed  since 
A:  |  |  /'  |  |  holds  at  the  program  points  where  X(j) 

is  evaluated. 

It  should  be  noticed  that  this  discussion  of  binary 
search  does  not  exclude  the  possibility  that 
(lower  X  upper  A],  and  therefore  | a  h},  might  be 
irregular.  This  illustrates  our  contention,  at  the  end  of 
Section  2,  that  partition  diagrams  permit  reasoning  about 
intervals  to  include  the  irregular  case  without  extra  case 
analysis. 

To  complete  our  program,  we  must  digress  from  the 
topic  of  arrays  to  specify  “Pick  j".  In  this  case,  the 
problem  is  not  to  find  a  correct  realization— either 
j  a  or  j  b  would  be  correct— but  to  find  an  effi¬ 
cient  one.  The  need  to  shrink  \a  h|  as  much  as  pos¬ 
sible  suggests  choosing  j  as  close  as  possible  to  the  mid¬ 
point  of  | a  hi.  i.e.  j  :=  (a  +  b)  +  2. 

However,  we  must  be  sure  that  if  a  £  b,  then  j  :»  (a 
+  b)  +  2  will  achieve  a  S  j  s  b,  despite  the  fact  that 
integer  division  involves  rounding.  Although  it  is  stand¬ 
ardized  in  Algol  60,  the  rounding  behavior  of  hardware- 
implemented  division  can  vary  for  different  machines, 
especially  when  a  +  b  is  negative.  Fortunately,  it  is 
enough  to  know  that  division  by  two  is  a  monotonic 
function  which  is  exact  for  even  numbers.  For  a  <  b 
implies  a  +  a£a  +  b<b  +  b,  so  that  monotonicity 
gives  (a  +  a)  +  2  s=  (a  +  b)  +  2  <  (b  +  b)  +  2,  and 
exactness  for  even  numbers  gives  ai(a  +  i)  +  2<>. 

(S.  Winograd  has  pointed  out  that  j :»  (a  +  b)  +  2  is 
unnecessarily  prone  to  overflow,  in  comparison  with,  for 
example,  j  a  +  (b  -  a)  +  2.  We  leave  it  to  the  reader 
to  show  that  the  correctness  of  this  improvement  can  still 
be  proved  with  a  monotonicity  argument.) 

6.  Array  Assignment 

We  must  now  move  beyond  programs  such  as  binary- 
search  which  merely  use  arrays,  to  consider  programs 
which  change  arrays.  Our  treatment  of  such  programs 
follows  the  ideas  of  Hoare  [7,  9],  which  are  based  upon 
earlier  work  by  McCarthy  and  Painter  [10], 

In  programming  languages  at  the  level  of  Algol,  the 
fundamental  agent  of  change  is  an  assignment  statement 
which  alters  a  single  array  element,  e  g.  X (i) e.  To  deal 
with  this  statement  from  the  viewpoint  that  an  anay  is 
a  function-valued  variable,  we  must  regard  it  as  an 
abbreviation  for  the  assignment  X  [A|i|e],  where 
lA|rje]  denotes  the  function  which  is  similar  to  X except 
that  it  maps  i  into  e.  More  formally,  [A|rje]  is  defined 
when  I  €  don  X,  in  which  case  it  is  the  function  satisfying 

don  [Ajije]  »  dom  X  (6.1) 

[*M«K0  “  *  (6.2) 


[*|i|eKy)  “  X(j)  when  j  +  i, 

and,  as  an  immediate  consequence  of  (6.3), 

l*;/|e]  1  S-  X  1  S  when  5  £  dom  X 

and  i  €  S.  (6.4) 

Once  A(<)  e  i s  seen  as  an  abbreviation  for  X  :» 
lA|rje],  the  usual  axiom  of  assignment  (5): 

P\,^,(x  e)P  (6.5) 

(where  denotes  the  result  of  substituting  e  for  x  in 
P)  extends  to  an  axiom  of  array  assignment  (9): 

P\x-4XtitMX(i)  e)  P.  (6.6) 

Because  of  (6. 1 ),  when  this  axiom  is  used,  the  substitution 
X  — » [A|/jr]  need  not  be  applied  to  occurrences  of  X  in 
dom  X,  lower  X,  upper  X,  or  in  a  label  attached  to  an 
interval  or  partition  diagram. 

7.  Equivalence  Relations  for  Arrays 

For  many  programs  which  alter  arrays,  such  as  sort¬ 
ing  programs,  a  full  specification  will  stipulate  both  that 
the  final  value  of  the  array  will  possess  some  property, 
such  as  being  ordered,  and  that  the  final  value  will  be 
related  to  the  initial  value  in  some  way,  such  as  being  a 
rearrangement.  Often— even  when  the  situation  is  intu¬ 
itively  obvious— a  formidable  technical  apparatus  is 
needed  to  formulate  and  prove  the  latter  kind  of  speci¬ 
fication. 

To  deal  with  these  problems  it  is  useful  to  introduce 
several  equivalence  relations  for  array  values.  Suppose 
X  and  Y  are  both  functions  whose  domains  are  sets  of 
integers  Then: 

(a)  We  write  A  F.  and  say  that  *  is  a  redistri¬ 
bution  of  Y  iff  {X}  -  {Y). 

(b)  We  write  X  —  Y,  and  say  that  A’  is  a  rearrange¬ 
ment  of  Y  iff  there  is  a  bijection  B  (sometimes  called  a 
one  to  one  correspondence  or  a  permutation)  from  dom 
X  to  dom  Y  such  that  (V/  e  dom  X)  Y(B{i))  »  A(/j. 

(c)  We  write  X  =  F,  and  say  that  A  is  a  shift  of  Y  iff 
there  is  a  bijection  as  in  (b)  with  the  special  form  B(i) 
-  i  +  s  for  some  integer  s. 

This  defines  an  increasingly  stringent  sequence  of  equiv¬ 


alence  relations.  Thus  where  p  is  ~,  or  =: 

Transitivity  XpY&YpZ  implies  ApZ  (7.1) 

Symmetry  X  p  Y  implies  Y  p  X  (7.2) 

Reflexivity  X  p  X  (7.3) 

A  «  Y  implies  A  ~  Y  (7.4) 

A  ~  Y  implies  A  ~~  F.  (7.5) 

Finally,  we  have  three  more  specific  laws  Exchang¬ 
ing  a  pair  of  elements  produces  a  rearrangement: 

(Vf.y  6  dom  A)  UA|.jA(y)]|yjA(»)]  -  A,  (7.6) 
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two  one-«lement  arrays  with  equal  values  are  shifts  of 
one  another. 

□  -do»*&Q]-*«y&X(0-  *U)  (7  7) 

implies  X  *  y, 

and  a  shift  of  an  ordered  array  is  ordered. 

X  »  y  &  ord,  X  implies  ord,  y.  (7.8) 

As  Hoare  has  pointed  out  (6],  for  any  program  which 
only  alters  an  array  by  performing  exchanges,  (7.1),  (7.3), 
and  (7.6)  are  sufficient  to  show  that  the  final  array  value 
is  a  rearrangement  of  the  initial  value.  However,  to  deal 
with  programs  which  move  information  from  one  array 
to  another,  we  must  also  consider  the  concatenation  of 
array  values. 


8.  Concatenation 

Let  X  and  Y  be  functions  whose  domains  are  intervals 
with  sizes  m  and  n  respectively.  Then  X*  y,  called  the 
concatenation  of  X  and  Y,  is  a  function  such  that 

dom  (Af~y)  -  |7  ~  m  +  n+'Tm 

(X~Y)  1  |7  m  4-  /  -  Tj  =*  X 

(X~  Y)  )  | m  +  l  m  +  n  +  l  -  l]  *  Y, 

where  I m  lower  (X''  T).  To  make  this  definition  unique, 
we  would  have  to  specify  the  integer  function  lower 
(X~  Y)\  we  refrain  from  doing  so  to  preclude  arguments 
which  might  depend  upon  this  arbitrarily  chosen  func¬ 
tion. 

Let  <  >  denote  the  unique  function  whose  domain  is 
empty.  Then  concatenation  satisfies  the  following  laws: 


X  <  >  »  X  (8  1) 

<  )~X=  X  (8.2) 

(* ~'Y)~Z=*X  (Y~Z)  (8  3) 

X  *  X  &  y  =»  y'  implies  X~Y*X~Y'  (8.4) 

X~  Y  Y~X  (8.5) 

X  -  X’  &  Y  ~  Y’  implies  X~  Y  -  X  ~  Y'  (8  6) 

X:  | _ o[  _J  implies  (g_7) 

al)~(A~  1  a  |  |) 

(X  Y)  «  {*}  U  {yj  (8.8) 

ord,  (X~  Y)  iff  ord,  X &  ord,,  K&  [X)  pm  {  T).  (8.9) 


The  first  four  laws  show  that  array  values  form  a  monoid 
under  concatenation,  provided  that  shift  equivalence  is 
used  in  place  of  true  equality.  The  next  two  laws  show 
that  this  monoid  becomes  commutative  when  the  less 
stringent  equivalence  of  rearrangement  is  used.  (Tech¬ 
nically,  one  can  make  these  statements  precise  by  work¬ 
ing  with  the  quotient  of  the  set  of  array  values  under  the 
equivalence  relations  »  or  -.) 

The  last  three  laws  establish  the  basic  connections 
between  concatenation  and  partitions,  images,  and  or¬ 
dering.  In  particular,  (3  9)  is  a  consequence  of  (4.8)  and 
(7.8), 


As  a  second  example  of  program  description,  we 
consider  the  problem  of  merging:  Given  two  ordered 
arrays  X  and  Y,  set  Z  to  an  ordered  rearrangement  of 
the  concatenation  of  X  and  Y.  We  assume  that  Z  is  just 
the  right  size  to  hold  the  result.  Thus  if 

ord,  X  A  ord,  Y  Sl  9  does  Z  -  (8  dom  X  +  #  dotn  Y), 


then  executing  the  program  should  achieve  the  goal 
ord,  Z4Z~  (X~  Y). 


During  execution,  each  array  will  be  partitioned  into 
a  processed  part  on  the  left  and  an  unprocessed  part  on 
the  right,  the  processed  part  of  Z  will  be  an  ordered 
rearrangement  of  the  concatenation  of  the  processed 
parts  of  X  and  Y,  the  unprocessed  part  of  Z  will  be  the 
right  size  to  hold  the  unprocessed  parts  of  X  and  Y,  and 
all  processed  elements  in  Z  will  be  smaller  or  equal  to  all 
unprocessed  elements  in  X  or  Y  (The  last  condition  is 
needed  to  insure  that  the  unprocessed  elements  can  be 
moved  into  Z  without  rearranging  the  already  processed 
elements )  Thus  we  have  the  invariant: 


/  m  x  r  \kx  I  &  Y:  |  ]ky .  | 

r _ ,  *  *  I  >  ) 

<S:  ord.  Z  j  j  \kz 

&  z  i  ct >  ~  <*  1 1  lfc*~  y  1 1  i*v) 

*  #  *  rn — i 


#  X  ft*  I  +  s  Y: 


&  (Z  1 

5*  (-V 1 I)  u  (y  1  |*T  I). 


(a) 

(b) 

(c) 

(d) 

(e) 


(The  conciseness  and  clarity  of  this  notation  in  compar¬ 
ison  with  predicate  calculus  can  be  seen  by  comparing 
this  invariant  with  the  nearly  equivalent  one  given  in 
Reynolds  (111.) 

The  invariant  can  be  achieved  initially  by  making 
the  processed  parts  all  empty,  and  it  will  imply  the  goal 
of  the  program  when  the  unprocessed  parts  are  all  empty, 
which  by  (d)  -will  occur  when  the  unprocessed  part  of 
Z  is  empty.  Thus  we  can  use  a  program  of  the  form: 


begin  Integer  k.x.  ky.  kz ; 

kx  :=  lower  .V;  ky  -  lower  1',  kz  :*»  lower  Z; 

while  kz  *H  upper  Z  do  "Copy  One  Element" 

end. 


In  "C  opy  One  Element."  a  single  element  will  be 
moved  from  the  unprocessed  part  of  X  or  1'  into  the 
processed  part  of  Z  To  preserve  condition  (e)  the  ele¬ 
ment  to_be  moved  must  be  the  smallest  member  of  { X 
1  J )  U  (  y  1  1  Ay  | ) .  Since  both  X  and  Y  are 

ordered,  this  will  be  the  smaller  of  the  leftmost  unpro¬ 
cessed  elements.  X{kx)  or  Y(kv).  providing  both  unpro¬ 
cessed  parts  are  nonempty.  However,  if  only  one  unpro¬ 
cessed  pan  is  nonempty,  its  leftmost  element  will  be  the 
element  to  be  moved. 


More  precisely,  when  “Copy  One  Element"  begins, 
Z:\kz  |  and  st  least  one  of  X.  \kx  land  Y:  I  ky  | 
will  be  nonempty.  Suppose  X:  |/cjc  |  is  nonempty  and 
Y:  \ky  |  is  empty.  Since  ord*  X,  (4.5)  and  (4. 1 1 )  imply 
X(kx)  <'  { X  1  |<ex  1),  and  since  {X  )  (ley  1)  is 
empty, 

IX  ■  X:  [H]  |  A  Z:  [U]  |  (f) 

stx(kx)s»ax]\ki  |)u(yiffy  I))  (g) 

will  hold  as  well  as  the  invariant  I.  (Note  that  X:  |fcx|  | 
is  an  abbreviation  for  the  partition  diagram 
|lbc|  upper  AT],  which  asserts  that  the  unprocessed 
part  of  X  is  nonempty.)  By  a  similar  argument,  if  X: 
\kx  1  is  empty  and  X:  \ky  1  is  nonempty,  then 

IYm  Y  I <ry|  |  A  Z:  gg  | 

&  Y(ky)<*({X\  |XI  |)U(XlfH  I)) 

will  hold.  Finally,  if  both  unprocessed  segments  are 
nonempty,  then 

X:  gg  |  &  X:  |*y|  \  A  Z  (E[  1 

&  X(kx)  { X  1  |*x  1) 

&  Y(ky)  <=•  [Y]  E  I) 


-  X  1  kx\  :  I  A  X:  r  \ky  I 
&Z:\  kl[  | 
AoUzlZMXjkx)]  1  |  XU 
A  [Z|*z|*(**)]  1  ! 

~  ( X  1  r~H|  ~  Y  1  |  }ky) 

A  «  Z:  kz{ZJ 

-9X:  +  #  X:  | ky  \ 

A  {[Z|*z|*(*x)]  1  I  *3) 

I) 


<•') 

(b) 

(c') 

«*') 

(e') 


(Here  we  have  made  the  simplification  of  replacing 

occurrences  of _ IAcjc  +  I _ and  _ _ 

|<iz+ 1 _ by  the  equivalent  forms _ XI]  _  ”  ~ 

and _ Xz] _ .)  Thus  we  must  show  that  I  &  IX 

implies  /',  i.e.  that  lines  (a)  through  (g)  imply  (a')  through 
<e'). 

By  the  rule  (2.9)  of  substitution,  (a)  and  (f )  imply 

x  I _ M— J  &  y  I  \kx  I  (h) 


will  hold.  In  this  case,  by  (4.10)  and  the  transitivity  of 
£,  X(kx)  ■<  Y(ky)  implies  IX.  while  Y(ky)  <  X(k. x) 
implies  1Y. 

Thus  if  we  define 

“Copy  One  Element”  •» 

if  ky  >  upper  Y  then  "Copy  X"  else 
if  kx  >  upper  X  then  “Copy  X"  else 
if  X(kx)  <  Y(ky)  then  “Copy  X"  else  Copy  X", 

then  I  A  IX  will  hold  before  the  execution  of  (either 
occurrence  of)  “Copy  X’\  and  I  A  I X  will  hold  before 
the  execution  of  “Copy  X". 

If  "Copy  X”  moves  X(kx)  out  of  the  unprocessed 
part  of  X  and  into  the  processed  pan  of  Z.  then  (g) 
insures  that  (e)  will  be  preserved.  Moreover,  (e)  insures 
that  X(kx)  will  be  larger  or  equal  to  the  elements  which 
have  previously  been  moved  into  Z.  Thus  the  ordering 
(b)  will  be  preserved  if  X(kx)  is  placed  at  the  right  of  the 
processed  part  of  Z.  This  leads  to: 

“Copy  X"  ■ 

begin  Z(lcz) X(kx)\  kx  kx  +  I;  kz  :«  kz  +  1  end. 
and  by  a  similar  argument 


which,  by  the  rule  (2.7)  of  erasure,  implies  (a')  as  well  as 
various  partition  diagrams  used  in  the  sequel.  In  partic¬ 
ular,  by  (2.2)  and  (2.1).  X:  [Xx[  |  implies  s X:  |*x  ~| 
«  gALAxl  |  +  Land  Z:  |(czl  ]  implies  sZ:  [k:  ] 

-  #Z:  k:CZ\  +  I.  so  that  (d)  implies  (d'). 

Next,  we  have 

|Z|*z|X<*.v»  1  [7"Xz] 

=  [Z|*z|*(*.t)j  1  j  kz  ~  |Z|*z|Af(*x)|  1  \k]\ 

_  by  Z:  |  T^l.  (H.7).  (3.3) 

=  Z  1  C3k*  “  IZIM  1  E3 

by  (6.4) 

*  Z  1  [  J*z  *  X  1  \kx\ 

by  (7.7).  (8.4).  (6.2) 

-  (X  1  \ZJkx  ~  X  1  I  I kv)  X  1  [XU 

_ by  (c),  (8.6) 

~  (Ar  i  [ '  }kx  ~  x  i  [XI])  *  xi  C3ky 

by  (8.3),  (8.5),  (8.6).  (7.4) 

=  -v  i  n  *3  ‘  y  1 1  l*> 

by  X  I  [XU  (8.7),  (3.3) 


“Copy  X”  ■ 

begin  Z(kz)  :=«  Y(kv)\  ky  :**  ky  +  1;  kz  kz  +  1  end. 

Formally,  in  the  notation  of  Hoare  [5J,  “Copy  X " 
must  meet  the  specification 


which  establishes  (c'),  and  also 

[Z\kz\X(kx)]  1  |  Fz |  =  Z  1  I  I  kz  ~  X  1  \kx\.  (i) 

Then 


I A  IX  (“Copy  AT)  I. 

To  exemplify  the  application  of  the  various  laws  we  have 
stated,  we  give  a  formal  proof  of  this  specification.  The 
assignment  axioms  (6.5)  and  (6.6)  imply  /'  (“Copy  AT"} 


(lZ|*z|Af(*.x)J  1  |  XI|) 

-  (Z  1  |  \kz  ~  X  1  HU) 

—  (Z  1  I  UzimATlfHI) 


by  HI.  (7.4).  (7  5) 


-  {z  i  u  {*(**» 

by  (3.8) 

s*(*iin  ]}u(nE  I) 

_  by  (e),  (g),  (4.3a) 

-m  l)u(yiliri} 

by  X:  |M  |,  (8.7).  (3.3) 

■  (A-l(^l)UUHxrn)U{yi(iP^) 

by  (8.8) 

so  that  (4.1a)  and  (4.1b)  give  (e')  and 

(Z1  |  \kz)  <»  (X 1  1**]).  (j) 

Finally,  (3.1),  (2.1),  and  (4.6)  imply  or 4*X  1  |XjT|. 
which  with  (b),  (j),  and  (8.9)  implies  or<U(Z  ) 
|  \kz  ~  X  1  (jx]),  which  with  (i)  and  (7.8)  im¬ 
plies  (b). 


10.  Multidimensional  Arrays 

Although  the  concepts  we  have  presented  were  de¬ 
veloped  and  tested  in  the  context  of  one-dimensional 
arrays,  most  of  them  extend  to  the  multidimensional 
case.  The  major  additional  concept  which  is  needed  is 
the  Cartesian  product: 

St  X  ...  XS„«  {</, . /„>  |i  B  St  &  ...  &  i„  S  S„}. 

A  Cartesian  product  of  intervals  is  called  a  block.  The 
values  of  the  array  declared  by  r  array  X(a,:  b,,  ... ,  o„: 
b„ )  are  functions  whose  domain  is  the  block  [oi  />7| 
x  ...  x  |a„  b„|. 

It  is  evident  that  the  values  of  subarrays  of  X  such  as 
rows  and  columns  are  restrictions  of  X  to  certain  bloc  ks. 
For  example,  with  some  fairly  obvious  conventions  about 
eliding  lower  and  upper  bounds,  the  following  assertion 
specifies  that  <i,  j)  is  a  saddle  point  of  the  two-dimen¬ 
sional  array  X: 

(Af  1  ([7]  x  CZZ])>  ^X(uj) 

&X(i.j)^  (x  i  (|  1x171))- 


II.  Conclusion 

The  content  of  this  paper  is  only  a  small  beginning 
It  is  largely  limited  to  one-dimensional  integer-sub¬ 
scripted  arrays,  and  even  within  this  domain  it  is  based 
upon  the  careful  study  of  perhaps  a  dozen  simple  pro¬ 
grams.  Moreover,  program  proving  has  been  viewed  as 
a  purely  human  endeavor  and  the  possibility  of  rnecha- 
nization  has  been  ignored. 

Thus  further  study  is  certain  to  produce  significant 
extensions  and  reformulations.  Nevertheless,  we  believe 
that  we  have  gone  far  enough  to  demonstrate  the  value 
of  the  underlying  approach:  We  have  formulated  con¬ 
cepts.  laws,  and  notations  which  are  powerful  tools  for 


the  precise  yet  intelligible  description  of  a  significant 
aspect  of  programming. 

Hopefully,  this  work  suggests  guidelines  for  further 
progress:  One  should  focus  upon  particular  mechanisms 
such  as  arrays  rather  than  generalities  which  pertain  to 
all  computation.  Concepts  and  laws  are  more  fundamen¬ 
tal  than  notation  per  se,  and  should  reflect  intuitive 
understanding.  Most  important,  the  crucial  test  is  the 
ability  to  describe  real  programs  in  a  way  which  is  not 
only  precise  but  also  intelligible  to  the  human  reader. 
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Appendix.  Proof  of  Proposition  (2.3) 

We  leave  it  to  the  reader  to  verify  that  either  a»  <  a, 
s  ...  <  o„  orao-ra,  5: ...  >u„  implies a.,[  ai|  aj- 
The  following  proof  of  the  converse  was  found  by  F.L. 
Morris. 

Suppose  a»|  aj  ...  a„|.  From  (2.2)  we  have 

n 

9  £Jn[  dj]  =  X  #  a.  ||  oil.  (a) 

■-I 

where 

9  <»(  b]  =  if  b  -  a  2  0  then  b  -  a  else  0 

is  always  nonnegative  and  is  zero  iff  a|  b]  is  empty. 
For  arbitrary  a,'s  simple  cancellation  gives 

n 

On  ~~  lit)  —  ^  a i  —  a,  \. 
i-i 

Then  subtraction  of  (a)  from  both  sides  gives 

n 

J\a,\.  a„ )  =  X  Aa'  '•  °')-  (b) 

i-i 

where 

/(a.  b)  -  b  --  d  -  9  u[  b] 

=  if  b  -  a  2  0  then  0  else  b  -  a 

is  always  rionpositive  and  is  zero  iff  af  b|  is  regular. 

The  interval  n„[  a, J  must  be  either  empty  or 

regular  (or  both).  Suppose  it  is  empty  Then  (a)  asserts 
that  a  sum  of  nonnegative  terms  is  zero, 
that  each  term  is  zero.  Thus  for  each  i, 
empty,  and  a,  i  2  a,. 

On  the  other  hand,  suppose  a„(^~  ay)  is  regular. 
Then  ( h)  asserts  that  a  sum  of  nonpositive  terms  is  zero, 
which  implies  that  each  term  is  zero.  Thus  for  each  i, 
a,  ,[^  a)]  ;s  regular,  and  a,  ,  s  a,. 
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which  implies 

“■  'C  3  is 
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APPENDIX  E:  RECENT  WORK  ON  ARRAY  CONCEPTS 


In  "Reasoning  about  Arrays"  (Comm.  ACM  22  (1979)  290-299),  we  defined 
the  concept  of  rearrangement : 

When  X  and  Y  are  functions  with  the  same  codomain,  X  *v*  Y 
(X  is  a  rearrangement  of  Y)  holds  if  and  only  if  there  is  a 
bisection  B:  dom  X  -*■  dom  Y  such  that  X  =  B*Y, 

and  of  shift  equivalence: 

When  X  and  Y  are  functions  with  the  same  codomain  and  domains 
that  are  intervals  of  the  same  size,  X  Y  (X  is  shift  equivalent 
to  Y)  holds  if  and  only  if  there  is  a  constant  s  such  that 
X(i)  =  Y(i  +  s)  holds  for  all  i  in  dom  X. 

This  year  we  discovered  the  usefulness  of  generalizing  the  latter  concept 
as  follows : 


When  X  and  Y  are  functions  with  the  same  codomain  and  totally 
ordered  domains,  X  2L  Y  (X  is  a  realignment  of  Y)  holds  if  and  only 
if  there  is  a  monotone  bijection  B:  dom  X  -*■  dom  Y  such  that 
X  =  B-Y. 


It  is  easily  seen  that  realignment  is  an  equivalence  relation  that  implies 
rearrangement  and  reduces  to  shift  equivalence  in  the  special  case  where 
dom  X  and  dom  Y  are  intervals  of  the  same  size.  Morever, 


and 


If  X  ^  Y  and  ord 


Y  then  ord 

V-'N.—P 


X 


If  X  'V,  Y  then  X*Z  ^  Y*Z  . 


E-l 


The  advantage  of  realignment  lies  in  its  ability  to  deal  with  functions 
whose  domains  are  sets  of  integers  that  are  not  intervals,  or  even  sets  of 
nonintegers.  An  example  is  the  following  annotation  of  a  program  for 
left-shifting  an  array: 


{[al  b]  and  [a  b]  c  dom  X  and  X  ■  Xft} 

— -  tM,  1 - 1  —  u 

begin  integer  k; 
k  :»  a; 

k]  b |  and  X  ({a  (k  u  k|  b|)  *  Xq  “1  a]  bl  > 


{whileinv: 

-iJ~V  i  j  n 


while  k  <  b  do 

begin  k  k  +  1;  X(k-l)  X(k)  end 

end 

<x1  [Hlb 


Notice  that  the  invariant  expresses  the  idea  of  an  array  with  a  hole 
in  the  middle  by  using  a  function  whose  domain  |a  | k  u  k ['  b ]  is  not 
an  interval. 

Another  advantage  is  that  we  can  replace  the  usual  notion  of  con¬ 
catenation  by  a  kind  of  concatenation  based  on  "source  tupling"  of  functions. 
For  sets  S  and  T,  let 


S  +  T  =  {1}  *  S  u  {2}  x  T 


with  the  ordering 

<x,  y>  <_  <x' ,  y'>  iff  x  <  x'  or  (x  =  x'  and  y  £  y')  • 

Then,  for  functions  X:  S  -*•  U  and  Y:  T  -*■  U,  let  X  ®  Y:  S  +  T  ->■  U  be  the 

function  such  that 

(V  i  c  S)  (X  «  Y) (<1,  i>)  =  X(i) 

(Vi  £  T)  (X  «  Y)(<2,  j>)  =  Y(j)  . 


E-2 


Then 


a.  dom(X  ♦  Y)  la  the  union  of  the  disjoint 

W  N. 

sets  {1}  x  don  X  and  {2}  x  dom  Y  , 

b.  (X  ♦  Y)  'I  ({1}  x  dom  X)  £  x  » 

c.  (X  •  Y)  1  ({2}  x  don  Y)  £  Y  , 

d.  {1}  x  dom  X  <  {2}  x  don  Y  • 

w»— »  ' 

establish  that  •  is  a  kind  of  concatenation.  In  particular,  if  X  and  Y  are 
sequences,  then  X  «  Y  is  a  realignment  of  the  usual  sequence-concatenation 
of  X  and  Y.  However,  unlike  the  usual  notion  of  concatenation,  X  *  Y  is 
defined  for  any  pair  of  functions  with  the  same  codomain. 

Further  laws  include: 

If  S  £  dom  X  and  T  £  dom  Y  then 

(X  ♦  Y)  1  (S  +  T)  -  (X  1  S)  •  <Y  1  T)  . 

(X  «  Y) • Z  -  X-Z  •  Y-Z  . 


{X  ♦  Y}  -  {X}  u  {Y}  . 

ordp  (X  ♦  Y)  if  and  only  if 

(a)  ord  X 

w—  P 

and  (b)  ord  Y 
•wP 

and  (c)  {X}  p*  {Y}  . 
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(X  •  Y)  •  Z  *  X  •  (Y  •  Z)  . 


X  ♦  <>  -v,  X 


<>  *  X  'V  X  . 


X  «  Y  -v  Y  •  X 


If  X  *  X'  and  Y  a-  Y'  then  X  •  Y  'v  X*  •  Y*  . 

If  X  %  X'  and  Y  Y’  then  X  •  Y  ^  X'  *  Yf  . 

If  dom  X  =  S  u  T  and  S  and  T  are  disjoint 
then  X  -v.  (X  1  S)  *  (X  'J  T)  . 

If  dorn^X  *  S  u  T  and  S  <*  T 

then  X  *  (X  “J  S)  ♦  (X  'J  T)  . 

If  dom  X  -  af  c|  and  af  b|  cl 

then  Xi  (Xl  a  (3])  •  (X  *]  bfT])  . 


For  example,  in  proving  the  above  left-shifting  program,  one  must  show 


k-1 | k |  b [  and  X  1  (|a  | k-1  u  k-l|  b|)  ~  X„  1  aj  b 


implies 


[X  |  k-1:  X(k)  ]  “1  ( fa  j  k  u  k[  b[)  *  x0  1  al  bl  • 

This  can  be  proved  by  a  sequence  of  realignments  involving  concatenations: 
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[X  |  k-1:  X(k)  ]  'f  (fa  [k  u  kf~  b[) 

-  (IX  I  k_1:  x<k>l  1  fiTIk)  •  ([X  |  k-l:  X(k)]  1  kPbT) 

^  ([X  I  k-l:  X(k)  ]  'l  [a  | k-l)  «  ( [X  |  k-l:  X(k)J  ^  [FT]) 

•  (fX  |  k-l:  X(k) J  ^  k[~~b]) 

^  (X1  HZM)  •  <X  1  E[)  •  (xl  kr~bl) 

1  <X1  fa  1  k-l)  •  (X  1  k-l| — bl> 

1  X1  (I*  I  k-l  u  k-lfbl) 

*  x0 1  aE3  • 

Further  applications  of  realignment  arise  in  conjunction  with  preimages 
and  related  concepts.  For  a  function  X  and  a  set  U  c  Cod  X  let 

P(U,  X)  =  (i  |  i  e  dom  X  and  X(i)  e  u) 

be  the  preimage  of  U  under  X.  Then 

If  U’  c  u  then  P(U\  X)  £  P(U,  X)  , 

P(U  u  U',  X)  -  P(U,  X)  u  P(U',  X)  , 

P(u  n  u’,  X)  -  p<u,  X)  n  P( u\  X)  , 

P(U  -  U\  X)  -  P(U,  X)  -  P(U\  X)  , 

P(U,  X)  ■  dom  X  if  and  only  if  {X}  c  u 

PCU,  X)  *  (}  if  and  only  if  U  and  (X)  are  disjoint  . 

P(U,  X-Y)  -  p(p(U,  Y),  X)  , 
p(U',  Iy)  -  U’  . 

P(U,  X^l  S)  -  P(U,  X)  n  S  . 

S  £  P({X  'l  S},  X)  . 

{Xl  P(U,  X)}  -  U  n  {X}  . 

P(U,  X  ♦  Y)  -  P(U,  X)  +  P(U,  Y)  . 
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If  X  -V  Y  then  X  'j  P(U,  X)  *  Y  P(U,  Y)  , 
If  X  2L  Y  then  X  'J  P(U,  X)  *  Y  ^  P(U,  Y)  . 


For  a  function  X  and  set  U,  let 

x  A  U  =  xl  P (cod  X  n  U,  X)  , 
x  -  u  =  X  'l  P(cod  X  -  U,  X)  . 

Then 

X  rt  U  =  X  if  and  only  if  CX}  £  U  . 

X  A  U  ”  <>  if  and  only  if  U  and  (Xl  are  disjoint  . 

(X  n  U)  A  U'  =  X  A  (u  n  U')  . 

(X  «  Y)  A  U  *  (X  A  U)  ®  (Y  n  U)  . 

{X  A  U}  *=  {X}  n  U  , 

If  XMf  then  X  A  U  ^  Y  A  U  , 

If  X  ^  Y  then  X  n  U  . 

and 

X  -  U  *  X  if  and  only  if  U  and  {X}  are  disjoint  , 
X  i  u  -  <>  if  and  only  if  {X}  c  u  , 

(X  -  U)  -  U'  -  X  -  (U  u  U*)  , 

(X  •©  Y)  -  U  -  (X  -  U)  ♦  (Y  -  U)  , 

{X  -  U>-  {X}  -  U  , 

If  X  Y  then  X;UM;1)  , 

If  X  ~  Y  then  X  -  U  ^  Y  -  U  . 
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In  effect,  X  n  U  and  X  -  U  can  be  regarded  as  the  intersection  and  difference 
of  the  function  X  and  the  set  U. 


In  conjunction  with  realignment  these  concepts  can  be  used  to  specify 
programs  such  as  the  following,  which  deletes  array  elements  with  values 
outside  of  the  interval  | r  s  : 


{  |  a  b  f  £  dom  X  and  X  **  Xq) 


begin  Integer  d;  c  :=  a;  d  :»  a; 


{whileinv:  {jT 


d _ b_  and  X 


and  xi  roi-  x0i  mu 

while  d  <  b  do 


la  1  c  £  (XQ  1  {a  1  d)  n  |r  s| 

} 


if  (X(d)  <  r)  or  U  '  X(d))  then  d  :■  d  +  1 

else  begin  X(c)  X(d) ;  c  :■  c  +  1;  d  d  +  1  end 


end 


Another  application  is  the  following  definition  of  stability  (in  the 
sense  of  stable  sorting) : 

Suppose  X,  Y,  and  K  are  functions  such  that  cod  X  =  cod  Y 
=  dom  K.  Then  X  is  a  stable  rearrangement  of  Y  with  respect 
to  K  when 

(^k  e  cod  K)  X  n  P({k},  K)  *  Y  ft  P((k},  K)  . 

V_-  ‘'v 
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MISSION 
of 

Rome  Air  Development  Center 

PA VC  plans  and  executes  research,  development,  test  and 
Selected  acquisition  programs  in  support  of  Command,  Control 
Communication!,  and  Intelligence  (C3 1)  activities .  Technical 
and  engineering  support  within  areas  of  technical  competence 
is  provided  to  ESV  Program  0 ffices  (POi)  and  other  ESP 
elements.  The  principal  technical  mission  areas  are 
communications,  electromagnetic  guidance  and  control,  sur¬ 
veillance  of  ground  and  aerospace  objects,  intelligence  data 
collection  and  handling,  information  system  technology, 
ionospheric  propagation,  solid  state  sciences,  microwave 
physics  and  electronic  reliability,  maintainability  and 
compatibility. 
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